Related
What I wanted was a simple, secure way to access my home computer remotely from my android phone. I know there are vpn options but I’ve seen that cause battery drain issues if in constant use, and also is more than I wanted/needed to setup. I know I could just setup a ssh server but leaving port 22 open on the remote computer for anyone to scan and hack the password seemed too insecure for me. So I came up with this solution and have been using it for about 2 years now without any problems. I thought maybe I should share this method since it may be of use to someone else and I don’t know of anyone else putting all these together for use with android.
What this does:
By running a small script on your android phone in terminal (only 2 commands), your phone knocks 3 specific ports, in a specific order (like a combination lock), your remote computer recognizes this order and opens port 22 for 10 sec. Your script then ssh’s the remote computer on port 22 and you log in. The port 22 on the remote computer closes so no one else can see it, but the keep-alive feature keeps your ssh session open so you can do whatever you need, for as long as your like, without worrying about someone port sweeping the remote computer and seeing the port open, or brut forcing a ssh password on it. You with me so far?
Now the ssh session also uses port forwarding to forward port 5900 from the remote computer to port 5900 on the localhost of the android phone. Now you can open your vnc client and connect to the remote computer through your ssh tunnel and see your x11 desktop. So you know also have a secure VNC connection! All this is done securely and only runs ondemand.
While this may look like a lot to setup, it’s actually quite easy and should only take about 15min tops. This tutorial should be complete but if I’ve forgotten anything, let me know and I’ll be sure to update this page.
In other words, run two simple commands within a script and you have secure access to your remote computer from your phone! Enjoy!
Pros:
- Secure
- Works on 3G and wifi
- Runs on all android versions
- Works on all x11 GUI’s (gnome, kde, etc). Assuming a VNC session is also desired.
- Fun!
Problems:
- This only works on linux computers, although I’m sure there is a way to setup port knocking on windows. I have no use for this, but if people are interesting, I can add a way to my tutorial as well.
Howto:
Setup Remote Computer:
First we need to setup the remote computer. This is geared towards Debian/Ubuntu but small adjustments should have it working on all distros (I’m using Debian Squeeze personally). Let’s begin:
First we need to install a few packages if not already there:
Code:
apt-get install openssh-server x11vnc knockd
Now lets configure your ssh daemon. Using nano or another text editor, edit /etc/ssh/sshd_config:
Change the following line to read as follows:
Code:
PermitRootLogin no
This will disable root login, so you will login in as a user and then su to root (You can leave root login if desired, it’s just less secure and not recommended).
Next we need to edit our iptables, so open /etc/network/if-pre-up.d/iptables and add the following:
MAKE A BACKUP FIRST OF THIS FILE
Code:
# Accepts all established inbound connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
iptables -A OUTPUT -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
Now we setup our port knocking. Edit /etc/knockd.conf:
Code:
[options]
UseSyslog
[openSSH]
sequence = port1,port2,port3
seq_timeout = 5
command = /sbin/iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j DROP
tcpflags = syn
[closeSSH]
sequence = port1,port2,port3
seq_timeout = 5
command = /etc/init.d/ssh stop
tcpflags = syn
The section [openSSH] is what opens the port for 10 sec by running the iptables command and then drops the packets after the time expires, running the stop_command. The section [closeSSH] is not needed. It was a failsafe I use in case I want to disable ssh if I thought I was getting hacked and could not login. This is also left to show how you can use the knocking to run different commands using another sequence of ports (for ftp, etc.)
Now lets restart the network interface and restart the knock daemon:
Code:
ifconfig eth0 down #adjust to whatever interface you use normally
ifconfig eth0 up
dhclient
/etc/init.d/knockd restart
/etc/init.d/sshd restart
Test your internet and make sure it works. To make sure you have it setup to run on boot, first determine your runlevel:
Code:
runlevel
Make sure knockd, ssh are in the /etc/rcX.d (where X equals your runlevel). If not, add it
Code:
ln -s /etc/init.d/knockd /etc/rcX.d/S02knockd
And so on for shh if needed, (again, adjust X to equal your runlevel)
Setup X11VNC password:
Code:
x11vnc --store password
create a script for ~/bin/x11vncserver
add this to the script
Code:
#!/bin/bash
x11vnc -safer -forever -usepw -noxdamage
The “-noxdamage” fixes a display problem of the desktop not updating in the android vnc client. Now if using gnome and you only care about vnc login for one user then, goto System → Preferences → Startup Applications → Add →
Name = VNC Server
Command = x11vncserver &
Or add to GDM for access to any user, add to /etc/gdm3/Init/Default:
Code:
x11vnc -safer -forever -usepw -noxdamage
DONE! (KDE will be similar but slightly different to load on login, post if help is needed)
Setup android phone:
create script called knockh in /system/xbin. Then add this:
Code:
nc -z [ipaddress] port1 port2 port3
ssh -L 5990:localhost:5900 [email protected][ipaddress]
Replaces the ipaddress with your own (google “what is my ip” if you don’t know your external ip). Replace the ports with the ones used in the config file above for knockd. Change the user to whatever user has ssh rights. Then
Code:
chmod 755 /system/xbin/knockh
Now run knockh in the terminal and you should see a login for ssh on your remote computer.
Next download “android-vnc-viewer” from the market (it’s free). Create a new connection by selecting “new” from the dropdown box.
Create a nickname, enter your x11vnc pasword, address is “localhost” and port is “5900”. For 3G connections, I recommend 8 colors, for wifi 256. I also check the “Local mouse pointer” in the checkbox. Now click connect and see your desktop!
(If you are on your local wifi network be sure to create another connection for your local ip address)
Fixes:
Keep in mind this is for remote networks, if you are on your local lan, this won’t work without changing the ip address.
If using a router or modem, setup port forwarding to your remote computer for TCP ports 5900, 22, port1, port2, port3 (your port knocking ports). Also make sure to setup a static dhcp for the remote computer so your router/modem doesn’t change it’s ip address and you can’t connect.
If you are using an ISP that doesn’t give you a static ip address for your router, you will not be able to login whenever they change it, you’ll have to update the script first with the new IP. A solution is to setup a dynamic dns, using dyndns.org or something similar. Free options are out there, just google it.
I hope this helps, please post if you have any questions, comments, etc. Enjoy!
-Mike
On some roms, the busybox version of "nc" does not allow the -z command for knocking the proper ports. I've pulled the version of it from CM 7.2 and put in my /system/xbin and full functionality has been retained. I've included both "nc" and "ssh" here and they should work fine if you are missing them. (Tested on my EVO LTE running mostly stock Sense ICS, but this is fine for other android versions)
nc
ssh
Hope this helps!
-Mike
I have ConnectBot configured to tunnel to a remote machine and the appropriate ports forwarded to access several services on that machine. As I understand it I further need a proxy layer to pass traffic to ConnectBot locally. I currently use proxydroid for this purpose. It worked the first time I configured it and I only recently found something about it I do not like and went in search of alternative proxy apps that might behave in the way I need.
The goal is to be able to write a Tasker sequence that connects the tunnel (completed this portion) and then activates the proxy. Unfortunately there is not automated way that I can determine to toggle proxydroid active/inactive. The interface, AFAICT, requires manual interaction in order to turn it on and off. proxydroid does have an option to automatically connect in the presence of certain networks but that it almost entirely useless to me, in fact, it would be better if it could connect when a particular network is NOT present.
Anyhow, in my search for alternative proxies I discovered a few apps that have some serious potential but hardly work:
Auto Proxy (not to be confused with AutoProxy): Is free, has amazing options for autoconnecting based on IP strings (which would be super and not involve Tasker at all) and has some of the more unique features. Unfortunately this proxy does not work in the least. I may be doing it wrong but it should be kept in mind that I can easily use proxydroid so the settigns are a known factor.
AutoProxy Lite: Is free, has fairly limited options and requires the paid version to autoconnect but even then autoconnection appears to be based on network presence which as I have mentioned is useless. This one I can get to work although I have to enter the necessary ports in the forwarding section which is really strange to me. The port forwarding should be happening at the tunnel not at the application layer but whatever if it works. The interface leaves much to desired, options are extremely limited and I just don't get the warm fuzzies about using the app. Using the free version will result in nag screens which will trip up any automated use.
Sandroproxy: Is free, appears to be fairly configurable and would be easy to automate with Tasker. Unfortunately this proxy doesn't work at all either. I appreciate the direct iptables output this one offers.
iptables, yes, now that we are talking about iptables I have some questions. I have a passing understanding of iptables/ipchains and can parse an iptables stack and can do some mediocre manual entry into one. However, regardless of which proxy I activate a listing with "iptables -L" always indicates a stock iptables stack. I've read that kernel level support must be enabled for iptables to work which would explain the failure of the 2 apps that don't work at all and the unchanging iptables list output. I'm using CleanKernel which is stock with some CPU frequency change allowance and some optimizations but nothing added outside stock. So, does a stock GS3 kernel support iptables/netfilter? Are the working apps using a method outside iptables? I suspect my iptables works fine but I'm missing something about how to get appropriate listing from it.
What the hell is keeping the other apps from working?
Any help is appreciated even if it input on passing startup info to proxydroid which "just works" 100% of the time.
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
iptables v1.4.11.1 check
netstat -tulnp | grep 8080 verifies ConnectBot listening on 8080 check
(why simply appending :8080 to the address IP doesn't hit CB without proxying it there was initially confusing but below i discuss the socks proxy)
(note, establishing proxydroid on any port that CB is forwarding will result in xxx.xxx.xxx.xxx:$port being forwarded through the tunnel so long as $port is in CB's config to forward since proxydroid is currently configured as a global proxy)
I tried a few variations of your supplied iptables append string with no positive results which is fitting with the below discussion about no socks proxy in place.
Armed with the knowledge that there is more than one table and I was simply listing the filtering table I fired up proxydroid and listed the NAT table and found all traffic redirected to port 8123. Netstat confirmed redsocks listening on port 8123. So, this leads me to believe that the missing element in simply redirecting traffic to port 8080 or any other tunneled port is a socks5 proxy.
I am currently chewing through this link: http://przemoc.net/tips/linux#making_socks_proxy_transparent with the intent of leveraging iptables and redsocks to perform the needed redirects manually possibly switched on and off with shell scripts executed by Tasker (although, if i can successfully configure to redirect based on destination ip/address then, for my putposes the only automation required is that which I have already achieved; establishing and shutting down the tunnel.
Any further insight you have to the above ends is greatly appreciated and I thank you for your input to date.
SandroBSupp said:
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
Click to expand...
Click to collapse
I will try with some simple Apache/ConnectBot/telnet configuration and let you know.
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Your environment seems optimal for making this work. And, maybe I need to reevaluate my remote end environment.
Currently the ssh daemon operates on a server machine that also includes a socks5 proxy for allowing unrestricted and encrypted access from any location. The service interfaces I wish to access remotely, however, reside on a separate machine on the same network. This means that the IPort has to pass unmolested through the tunnel. The socks5 proxy on the sshd machine is irrelevant to this process, it should be noted. However, as I understand it, the port being forwarded through the tunnel does have to be a dynamic port in order to appropriately reach the second PC. Dynamically forwarded ports are handled with a socks protocol in ConnectBot.
So my environment is as follows
192.168.1.101 serves sshd on port 22.
192.168.1.100 serves interfaces on ports 2100, 8080, 80801 and 8082.
From the android device (S3) I expect to enter the address 192.168.1.100:8080 into a browser and have the related service interface be accessed remotely. This is exactly what occurs with the appropriate ports forwarded from ConnectBot and using proxydroid as a global proxy or even as a proxy tied directly to the app similar to your iptables string that matches the owner application. It should be noted that since the port is dynamic it really only requires ConnectBot to have a single port forwarded and for the redirection to jump to that port regardless of the originating port (say, 8080 or 8081 or 2100) because the originating port passes the tunnel unmolested in this configuration.
It sounds like I could relocate the sshd to the PC hosting the service interfaces and alleviate this issue (maybe, possibly) of having to use dynamic ports and use a more traditional explicit local to remote port forwarding scheme. However, knowing that it can be achieved otherwise leads me to seek a solution that doesn't require reconfiguration of the remote PCs and all of the various machines I have configured to access this configuration remotely for other purposes.
I did try your iptables string exactly and also without the owner application matching making it a more global redirect if I parse it correctly. I also tried these configurations with ConnectBot configured with traditional instead of dynamic port forwards but neither way works.
I still believe that the proxydroid method is succeeding because it includes the socks5 proxy layer via redsocks. I believe but cannot prove that this is what enables the dynamic port forwarding to work through the tunnel. While the method you are outlining makes good theoretical sense it is failing in practice.
All that said, I decided to run a test wherein I redirected all traffic on port 80 to port 6543 and then configured connectbot to forward from port 6543 to port 8118 which should engage my remote socks5 proxy and use my remote internet connection. It appeared to work and to double check I disconnected ConnectBot yet somehow my android browser still had no issues accessing internet sites on the 4g connection. So, apparently iptables is being ignored entirely or I am completely missing the boat, here.
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Explain how that successfully fetches http requests despite having a service listening on 6543 to facilitate it.
Not sure if it was required to use that -m match switch to tie the iptables rule to an application so I tried:
ps | grep lan =
Application is 23094
therefore
iptables -t nat -A OUTPUT -m owner --uid-owner app_23094 -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere owner UID match app_23094 tcp dpt:www to 127.0.0.6543
Same result; not tunnel or service listening on 6543 but successful fetch of http requests.
SandroBSupp said:
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Click to expand...
Click to collapse
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Yeah, that was a typo into the forum.
I have globally redirected all port 80 traffic to localhost port 6543 with no service listening on 6543 yet any browser will successfully fetch pages. It seems iptables is being ignored entirely although it should be noted proxydroid modifies iptables to a successful result.
SandroBSupp said:
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Click to expand...
Click to collapse
Just for fun I installed DroidWall and blacklisted both browsers on my phone. Neither browser has any issues whatsoever retrieving webpages despite the blocks. I listed the iptables to verify there are indeed blocks in place. My iptables are being ignored entirely. Any input to this regard would be quite helpful. Obviously any attempts to manipulate packet redirection with iptables is meaningless if the tables are ignored.
Strangely, proxydroid is effective and it is making changes to iptables when enabled, so I have no idea WTF at this point.
Okay, I deleted all chains which seems to have cleared up the issue with all rules being ignored. If I am not mistaken my output chain was being directed to a chain called samsung_market_policy so, if I wasn't placing the rules within that chain (and I was not) they were being jumped before they could be read. I have no idea what breaks when you remove the samsung_market_policy chain but considering it was an empty chain I suppose nothing.
That said, I can now successfully redirect port 80 traffic to port 6543:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 6543
^^^If no service listens on 6543 the browser provides an error message as expected. With ConnectBot listening on 6543 and forwarding through the tunnel to remote port 8118 where I have a proxy server listening the pages fetch.Note a socks5 proxy is listening on the remote machine at port 8118 to manage the retrieval of the pages.
Sooooo, now I flush the above rules and enter:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 127.0.0.1:8080
^^^Should, in my understanding send all tcp traffic of any variety to localhost port 8080 where I have ConnectBot configured to forward dynamically to the remote machine.
Passing any address of any variety fails in this instance. There is a service listening on remote machine 192.168.1.100:8080. This address fails where it would not do so with a local socks5 layer. Google.com fails as well, which makes sense considering there is no proxy to perform the domain resolution but so does passing 74.125.137.138 which is Google.com's direct IP address.
I have further testing to do and will report back. If you have any input I am eager to hear it.
I will add that I am back on the same merry go round:
2 of the proxies do not work 2 of them do. The 2 that do will not connect without direct user interface on screen. At any rate, I remain convinced a local proxy layer is needed for my purposes.
The 2 proxies that do work are explicitly socks5 while the 2 that are not simply state they are socks.
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Yes, this works... for a wifi connections. However, I am rarely connected to wifi and when I am it is the network that the remote pcs are attached to so all of this becomes unnecessary.
For a 3G/4G connection I need to either:
A) Easily and automatically toggle a global proxy on and off (the main complaint with proxydroid is this missing feature)
or
B) Make a permanent redirect of destination IP 192.168.0.0/8 to the proxy without stripping the destination port information so that the transport carries that information.
A kludge solution I am currently using is to install FireFox mobile and then the Network Connections plugin which allows all FireFox traffic to be pointed to my ConnectBot tunnel. Then, in this way, to access my remote service I simply use FireFox Mobile and my other browsers for normal traffic.
This is a less than ideal solution, unfortunately, as I would like to be able to use any browser and also and more importantly other applications such as AndFTP, which fail unless a local socks5 layer is transporting the destination IP AND Port through the tunnel. That is, if AndFTP or a normally configured browser are pointed to the tunnel then the port information only serves the purpose of reaching the tunnel and is not transmitted to the remote end for connecting to remote services on their respective ports. There HAS to be a local transport layer that is moving the destination IP AND Port unmolested to and through the tunnel.
All that said, I suspect my earlier attempts at iptables redirection were successful at transmitting the packets TO the remote computer but additional rules must be configured to parse the incoming packets FROM the remote computer.
My next efforts will be directed at creating a shell script that sets up a redsocks proxy and an iptables redirection for the 192.168.0.0/8 range to that proxy. Which, is effectively recreating the efforts of people like yourself who wrote applications such as Sandroproxy, proxydroid and Auto Proxy. I will also be sending a request to proxydroid developers for an easier on/off toggle such as a checkbox instead of the current slider which cannot (as far as I know) be automated or, even better, to have that proxy auto-effect for a destination IP range.
SandroBSupp said:
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Click to expand...
Click to collapse
Highlights
100% open source (GPLv2+)
No ads
One-click connection (batch mode)
Supports RSA SecurID and TOTP software tokens
Keepalive feature to prevent unnecessary disconnections
Compatible with ARMv7, x86, and MIPS devices
No root required
Based on the popular OpenConnect Linux package
Click to expand...
Click to collapse
Requirements
Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
An account on a suitable VPN server
Click to expand...
Click to collapse
Downloads
Binaries are attached to this post under the downloads tab.
Google Play: https://play.google.com/store/apps/details?id=app.openconnect
Source code: https://github.com/cernekee/ics-openconnect
F-Droid: https://f-droid.org/repository/browse/?fdid=app.openconnect
Click to expand...
Click to collapse
(note that the F-Droid binaries are signed by a different key than the official releases)
Changelog
Code:
v1.11 - 2015/02/21
- Fix "Unknown compression type 0" errors when CSTP and DTLS use
different compression settings
Older changelogs:
Code:
v1.10 - 2015/02/08
- Fix CSD script problem on Lollipop (bug #1)
- Fix IPv6 address display on status window (bug #2)
- Enable LZ4 compression support
- Identify as a mobile client when Android or iOS is selected
- Update to OpenConnect v7.04+, GnuTLS 3.2.21
v1.02 - 2014/09/02
- Fix regression on certificate handling
v1.01 - 2014/08/29
- Add Spanish translations (thanks to teosoft)
- Fix regression on CSD scripts starting with "#!/bin/sh"
- Improve error messages on broken ROMs that throw exceptions when
starting a VpnService
- Fix intermittent fragment-related crashes on ICS
v1.00 - 2014/08/10
- Fix problems storing >8kB certificates on some ROMs
- Clean up seldom-used menu items and move some options into General Settings
or About
- Integrate Xposed module for bypassing the VPN confirmation dialog
- Switch to ACRA for problem reporting
v0.96 - 2014/07/06
- Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
https://code.google.com/p/android/issues/detail?id=70916
- Fix navigation anomalies (weird Back button behavior) seen after
re-entering OpenConnect from one of the Notifications
v0.95 - 2014/06/14
- Show the auth dialog <message> text in case it contains useful information
- Add German translations (thanks to Ingo Zansinger <[email protected]>)
- Add Chinese translations
- Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy
- Clean up a bunch of lint warnings and unused strings/files
- Try to generate a human-readable profile name when adding a new VPN
v0.91 - 2014/06/01
- Fix bugs involving saved authgroups
- Fix batch mode error handling
- Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466
v0.9 - 2014/04/26
- Add new "Send feedback" screen
- Add new "SecurID info" screen for RSA soft token users
- Allow changing settings and using other menu options (about, SecurID,
send feedback, etc.) while connected
- Update FAQ and provide some links to relevant XDA posts
v0.81 - 2014/04/06
- Fix potential issue recognizing certificates stored in VPN profiles
created with <= v0.7
v0.8 - 2014/04/02
- Fix hangs after reconnect if DTLS is disabled
- Fix incorrect storage of PKCS#12 certificates
- Remove unnecessary passphrase prompts on unencrypted certificates
- Add a workaround for ASA certificate request quirks
- Fix FC when attempting to import an OpenVPN profile
v0.7 - 2014/03/08
- Update GnuTLS to address CVE-2014-0092
- Fix FC and other misbehavior on IPv6 connections
- Update to libopenconnect 5.99+
- Fix/delete several broken translations
- Minor improvements to the auth form UI
- Switch curl from OpenSSL to GnuTLS and remove advertising clauses
v0.6 - 2014/02/09
- First release in Google Play Store
- Change to new "big O" launcher icon
- Avoid displaying error alerts if the user terminated the connection
- Try to make the libopenconnect build process more robust, and strip *.so
files to conserve space
v0.5 - 2014/02/01
- Fix "living dead" connections (can't pass data after reconnection due to
DTLS parameter mismatches)
- Add FAQ tab in response to user feedback
- Move log window into a tab
- Reorganize action bar so that the most important items (Status/Log/FAQ)
are tabs, and less important items (Settings/About) are in the menu
- Fix KeepAlive socket errors on KitKat devices
- Other UI and documentation fixes
- Add split tunnel configuration options
- Improve icons
v0.2 - 2014/01/18
- Allow SecurID token import via URI or text file
- Newly reworked "status" tab with uptime, error alerts, IP addresses,
etc.
- Fix a couple of bugs involving screen rotation / activity redraw on
the log window
- Prompt for hostname instead of profile name when adding a new VPN, to
help avoid "empty hostname" mistakes
- Numerous other UI improvements and fixes
- Remove "reconnect on boot" until it works properly
- Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"
Click to expand...
Click to collapse
FAQ
Q: What is this app used for?
A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.
If in doubt, check with your I.T. administrator to see if a suitable service is available.
Q: How do I get started?
A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.
Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.
Q: How do I authenticate using an SSL client certificate?
A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:
P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.
Single PEM/CRT/CER file: same as above.
Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.
When finished, delete the certificate files from external storage so they cannot be stolen by other apps.
If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.
Q: Will OpenConnect work with non-AnyConnect VPNs?
A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.
Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?
A: OpenConnect supports SSL VPN (CSTP + DTLS) only.
Q: How do I import a SecurID software token?
A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.
If you have an "sdtid" XML file, copy it to /sdcard and then import it.
Q: Is it possible to skip all login prompts when connecting?
A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.
The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.
Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.
Q: How do I improve battery life while the VPN is up?
A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.
Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.
Q: How do I use OpenConnect with AFWall+?
A: There are a few caveats to keep in mind when using an Android firewall with VPN:
* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.
Q: Are any apps incompatible with VPN?
A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.
Q: Under what circumstances will OpenConnect request root?
A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.
Based on user feedback and testing, future releases may autodetect these conditions.
Q: How do I send a problem report?
A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.
Click to expand...
Click to collapse
TODO
Translations - I will set up the necessary infrastructure if there are volunteers
Compatibility testing
Add x509 certificate parsing/validation in the profile editor
Enable Android keystore support
Proxy support
Split tunnel DNS?
Click to expand...
Click to collapse
MISC
Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link
XDA:DevDB Information
OpenConnect, App for the Android General
Contributors
cernekee
Source Code: https://github.com/cernekee/ics-openconnect
Version Information
Status: Testing
Created 2014-01-18
Last Updated 2015-02-21
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
msm88now said:
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
Click to expand...
Click to collapse
Sometimes an MTU or TCP MSS problem could cause this symptom. What kind of gateway are you connecting to? Are you the admininstrator?
Older versions of KitKat did have an MSS problem; I think 4.4.1+ is OK: https://code.google.com/p/android/issues/detail?id=61948
There are a few other outstanding problems on <= 4.4.2: http://www.androidpolice.com/2014/0...n-routing-fixes-are-planned-for-some-of-them/
Do you see the same problem connecting from other systems, like a Windows PC, or even the Cisco AnyConnect Android app?
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide. that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
msm88now said:
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide.
Click to expand...
Click to collapse
I don't see this university's VPN requesting a certificate (i.e. SSL client cert). It just asks for a group/username/password.
Are you getting an error that says that the gateway is not licensed for mobile, after you enter your password?
that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
Click to expand...
Click to collapse
Can you grab a packet capture when you're seeing the connectivity failures, and email me the result? e.g.
Code:
adb push tcpdump /data/local/tmp
adb shell
cd /data/local/tmp
su
chmod 755 tcpdump
./tcpdump -n -i tun0 -w out.pcap
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
that's way I'm using smoothconnect and now openconnect on my both andriod phones.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
did I explain my problem clearly? is it an Ipv6 problem? I'm really confused and frustrated
msm88now said:
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
Click to expand...
Click to collapse
OK. This is because the Cisco mobile clients look for an "X-CSTP-License: accept" header from the gateway after authenticating, to see if the operator has paid extra to support the Cisco mobile client. libopenconnect-based clients (including SmoothConnect) do not require this header.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
Click to expand...
Click to collapse
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
cernekee said:
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
Click to expand...
Click to collapse
Hi,
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
msm88now said:
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
Click to expand...
Click to collapse
Do you have a friend who is familiar with ADB, rooting phones, etc. who might be able to help out in person?
You could also try something like Shark for Root, or follow this video. Make sure you capture on the tun0 interface so that we can see what is happening on the VPN tunnel. If you capture from the wifi interface you'll still see traffic, but everything will be encrypted so it will not be possible to diagnose the failure.
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
msm88now said:
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
Click to expand...
Click to collapse
According to this trace (partial screenshot attached), the Note 3 is advertising an MSS of 1460 bytes on IPv4 TCP connections. This looks abnormally high for a VPN interface; the other direction is using an MSS of 1380, which looks more realistic. The MSS for IPv4 would normally be the tun0 MTU minus 40 bytes. I am assuming this means the MSS is being computed from the 1500-byte wlan0/eth0 MTU, not the smaller tun0 MTU.
When Google fixed the MSS bug in Android 4.4.1, they left the following comments in the changelog:
Code:
commit ca5b4e8d0d8219273ecf0961ed6e8c47ab5d798a
Author: JP Abgrall <[email protected]>
Date: Wed Nov 20 17:27:01 2013 -0800
SecondaryTableController: force the MSS to match pmtu on TCP SYN
Without this change, the VPN sets up a tun/ppp that needs a small
MTU, and during TCP SYN the MSS will end up matching the outgoing iface
MTU which is potentially too big.
This leads to connection flakiness. The wrong MSS is visible by
tcpdump-ing on the tun/ppp device.
With this change, the MSS now is correct.
[b]It requires the kernel to be configured with
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
If kernel is not configured, it silently fails.[/b]
Bug: 11579326
Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2), but the kernel may be missing the TCPMSS target. If you see an error when running this command as root, it probably means that kernel support is missing:
Code:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
cernekee;
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2) said:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
[/code]
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
Click to expand...
Click to collapse
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
msm88now said:
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
Click to expand...
Click to collapse
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Code:
su
iptables -t mangle -nxvL
cernekee said:
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Click to expand...
Click to collapse
here is the output after some bad sites access, I also repeated the provisos code during an openconnect session. hope it will help us.
msm88now said:
here is the output after some bad sites access
Click to expand...
Click to collapse
Hmm, on my KitKat device I have an st_mangle_POSTROUTING chain which does the TCPMSS clamping:
Code:
Chain st_mangle_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
I did not see this in your output. Maybe Samsung is using an outdated version of netd.
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
Code:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If not, post the new "iptables -t mangle -nxvL" output so we can look at the traffic counters.
Also can you attach your /system/bin/netd binary?
Thanks.
cernekee;
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
[code said:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Click to expand...
Click to collapse
are kidding me!! it really worked. after I run the the code I tried to access all the bad sites and all of them worked!! but not as fast as my other mobil SG2. I noticed that it takes noticably much longer to access them. but still, It worked and It's fantastic!!
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly? despite the re-entering issue I'm very happy that I finally can use internet on my note3 again thanks to you cernekee.
msm88now said:
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly?
Click to expand...
Click to collapse
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
cernekee said:
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
Click to expand...
Click to collapse
here I attached them.
I posted a problem report on Samsung's support forum:
http://developer.samsung.com/forum/...&messageId=259244&listLines=15&startId=zzzzz~
Works like a charm with the lastest Slimkat on Nexus 4. Thanks a lot !
Just add a widget to one click connect from the launcher and it will be the best VPN apps that I've use.
Today I've a Tasker task to launch Anyconnect with uri and simulate touchs screen to automate my connection.
@ edit :
Is there a way to don't have the attached screen ?
An interesting read :
Closing Open Holes
#JDevil#
With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.
This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.
Open Ports: A Threat to Security?
Now, which option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.inop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.inop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)
State of Connection: ESTABLISHED
Netstat? with the ? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----
Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:
Now, the thing to understand here is that, Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!
The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.
The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:
1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.
2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.
***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:
http://domain.com:8080 instead of
http://domain.com:80
The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.
The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc
Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************
Firewalls
Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?
Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.
Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)
NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.
Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.
Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?
You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.
Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.
What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.
The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.
Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.
You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.
*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************
So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.
They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:
ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.
Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.
You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.
What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:
DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.
(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).
The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.
Breaking Through Firewalls
Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)
If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.
Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
JDevil
Just figured I would share this for anyone who is sick of their tethering being throttled after a insanely small bandwidth limit. I mean if you pay for unlimited data, who are they to tell you how you can use it. Also you could technically cancel your ISP if you really wanted to and you were motivated enough to get this setup correctly.
I'm have a repo on GitHub for this -> https://github.com/RiFi2k/unlimited-tethering
# Unlimited Tethering
Bypass tethering caps or throttling on cell phone unlimited data plans. Potentially cancel your internet and route your whole home though your unlimited data plan.
Inspired from [XDA](https://forum.xda-developers.com/) forum threads.
[Working Options for Unlimited Tetherting, Hotspot, Carrier Check Bypass Methods](https://forum.xda-developers.com/showthread.php?t=3825144)
[Unlimited WiFi Tethering](https://forum.xda-developers.com/showthread.php?t=2914057)
## Requirements
* **Unlimited data plan**
* **Ability to hotspot your phone**
* **Computor or Router**
This is not a carrier specific method, I use Verizon but this should generally work with any carrier. It also doesn't matter if they throttle or cap you at 15GB or something, that is what we are about to work around.
If you are going to go the router method it will be a lot more work but the router will handle all the traffic routing and you can just connect any device in your house to your router and it will just work. If you are just going to use your PC then you can generally have this running in ~15 to 30 minutes.
I have personally used anywhere from 80-150GB of data with this method consistantly for 6+ months and never been throttled one time while my traffic was going through the tunnel.
## Overview
1) Download [Termux](https://termux.com/) app, [install openssh](https://wiki.termux.com/wiki/Remote_Access) on it, make sure you have python2 as well and simlink the `python2` command to `python`.
```
pkg install python2
py2_path=$(which python2)
py_path=${py2_path%/*}/python
ln -s "$py_path" "$py2_path"
```
2) Configure authentication as explained [here](https://wiki.termux.com/wiki/Remote_Access) for SSH. If you don't already have a keypair it explains how to set up an ssh keypair and use it to authenticate to your phone from a PC. I personally used my existing SSH public key and made a folder / file `~/.ssh/authorized_keys` on Termux and dropped it in there with something like `curl "https://github.com/rifi2k.keys" > ~/.ssh/authorized_keys` if you already have your public keys on github here.
2) Hotspot your phone.
3) Run `ifconfig` inside Termux to get your current tethering local IP. It will be the only 192.x.x.x spit out and generally for andriod will be ending in 192.x.43.x. Save this.
4) Run `sshd -dD` inside Termux which starts an openssh server in debug mode to audit traffic. Your looking to see something like this as output from the above command.
```
debug1: Bind to port 8022 on ::.
Server listening on :: port 8022.
debug1: Bind to port 8022 on 0.0.0.0.
Server listening on 0.0.0.0 port 8022.
```
5) Now pop onto a PC and connect it to your hotspot.
6) Now SSH tunnel all the traffic from the device back through the openssh server your running on the Termux app. Now that you are on the same local network you can SSH tunnel into our saved IP address and port from earlier `192.x.43.x:8022` or similar.
You can use ssh which would look something like this.
If you want to use OpenSSH on Windows my recommendation would be Chocolatey package manager. https://gitlab.com/DarwinJS/ChocoPackages/tree/master/openssh
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
LOCAL_SOCKS_PORT="8123"
ssh -D $LOCAL_SOCKS_PORT -fqgN [email protected]$TERMUX_IP -p $TERMUX_PORT
```
TERMUX_USER would be your username on the Termux app.
TERMUX_IP would be the IP you got from `ifconfig` in Termux.
TERMUX_PORT would be the port `sshd` is using in Termux.
LOCAL_SOCKS_PORT would be the port you want to use for your local proxy.
So then once you run the above ssh command you need to configure a system wide or application specific Socks Proxy which would be proxying all traffic to `127.0.0.1` for the Socks Host and whatever `LOCAL_SOCKS_PORT` is from above for the Socks Port.
I use [sshuttle](https://github.com/sshuttle/sshuttle) which already handles most of the [gotchas with tcp over tcp etc](https://sshuttle.readthedocs.io/en/stable/how-it-works.html). and which also has a solution for [Windows](https://sshuttle.readthedocs.io/en/stable/windows.html) and linux. Also sshuttle generally handles setting up the Socks Proxy for you. A command for sshuttle might look like this.
## Linux
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
sshuttle -r [email protected]$TERMUX_IP:$TERMUX_PORT 0.0.0.0/0 -l 0.0.0.0:0
```
## Windows
On Windows I would download [Virtualbox](https://www.virtualbox.org/). You can verify the sha256 of the files via PowerShell with `Get-FileHash C:\path\to\file.exe`. Also you might want to use [git bash](https://medium.com/@botdotcom/learn-how-to-install-and-use-git-on-windows-9deecbd6f126) instead. Then you want to make sure you launch a linux VM in [bridged mode](https://www.linuxbabe.com/virtualbo...duction-to-virtualbox-bridged-networking-mode).
Then run sshuttle inside the VM following the directions here for [sshuttle in a VM](https://sshuttle.readthedocs.io/en/stable/windows.html).
Inside the VM
```
sshuttle -l 0.0.0.0 -x 10.0.0.0/8 -x 192.168.0.0/16 0/0
```
Back on your Windows machine, assuming your VM has the IP `192.168.1.200` on the bridged network.
```
route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
```
That should route traffic through the VM and the tunnel.
As long as you make sure all your traffic passes through the tunnel it 100 percent shows that all your internet is being used by Termux app not your hotspot app so you need no other spoofing of hops or anything because to your phone and carrier you are just using a bunch of data in termux, you do it right you will never be throttled.