OpenVPN iOS Authentiction Failed Data channel cipher negotiation failed (no shared cipher)

So I was traveling on Saturday and needed to connect to my VPN. Unfortunately, my vpn would not connect. When I got home I discovered I had two problems. First, the gui upgrade on my PFSense box had not fully upgraded everything. The fix for this is pretty straightforward: Access a shell on PFSense and run pfSense-upgrade -d. This upgraded OpenVPN on the device to 2.5 (I believe the current version as of this writing).

Then I had another problem. I was getting this error message:

The solution is to go into settings for the app (hamburger button in the upper left corner, then settings and de-select AES-CBC Cipher Algorithm. This setting can break the VPN connection if you are using TLS 1.3 because 1.3 does not support AES-CBC.

I did not have an easy time finding help with this issue online, so I am writing this in the hopes that it is found by someone else needing help.

Simple Port Scanner In Five Languages

I have created a simple port scanner in five different scripting languages. I am sharing the code because the resources for figuring this out were not as helpful as I think they should have been. The process could have been a lot easier and more straightforward. Also, I am sharing so that hopefully it will help someone else in learning what I have learned.

https://github.com/andcen/Port_Scanner_Examples

 

 

Good IT People are Lazy….

Good IT folks are lazy. What I mean by that is that they will find ways to automate boring tasks. That means they will solve problems with programs written in languages like Python or with scripts in PowerShell or Bash. This skill is what lets people truly unlock the power of computers.

So it was that I was faced with a boring task. I had purchased an archive of issues of a popular computer magazine. All of its previous issues were contained as html pages, one for every page of every issue of the magazine. But I did not want html pages, I wanted PDFs, and only one for every issue.

Bash scripting (and some Open Source Software) to the rescue. Using a command-line tool called wkhtmltopdf, I was able to create a script that turned every html page into a PDF, spitting out a file for every issue (this was facilitated in part by the file structure on the DVD).

This script completed its task in about a minute. There is no telling how long this would have taken using a GUI. Yes some time was taken up finding the tool and writing the script, but that helped build resources and skills that can be used again in the future. Time spent clicking in the GUI would not have done that.

I’m not saying writing a script like this is always the right way to solve a problem, though I believe that is often (not always) the case. What I am saying is the sense of satisfaction gained by solving a problem this way is well worth the effort.

Below is a shot of the script I wrote.

Block Malware and Ransomware With Pi-hole

The ability to block ads has become an almost mandatory security control. As seen in this story, malvertising is a vector of infection that is capable of doing significant damage to enterprise networks. There are various tactics that can be deployed to block malvertising in a variety of popular browsers. A great rundown of how to apply these techniques at scale in the enterprise can be found here. But it is possible to do more.

Pi-hole is a simple DNS server that can be deployed on your network to block DNS lookups for servers known to serve advertising. This has the effect of blocking the malvertising before it can ever be downloaded to your system, and works across a variety of platforms, from smartphones to desktops, running Windows, Linux, or Mac OS.

Despite the name, the software does not require a Raspberry Pi. You can run the software on one if you wish, but they also support a variety of popular Linux platforms. I have installed Pi-hole on a CentOS vm in my lab network.

The interface is simple but offers a number of powerful options. It would be sufficient for all but the most sophisticated networks (those running AD or LDAP for example). Even on these networks, PI-Hole can be used to process lookups for advertising domains before forwarding other traffic to BIND or Windows DNS servers.

While some may disagree with the rightness or legality of blocking ads, the fact that malvertising is an infection vector is inescapable. For the owners of sites, contracting with a third party to infect my user’s systems is not an acceptable business model. When this get cleaned up, maybe things like Pi-Hole will not be necessary. Until then, I look forward to having it in a place as an additional layer of defense on my network.

DHCP on CentOS 7

If you are like me, you have a lab at home running IT products and software a normal person would not have in their home. Also if you are like me, you purchased a Technet subscription from Microsoft back in the day to equip your lab with Microsoft Windows Server software in order to test various things and power services on your lab network.

Unfortunately, Microsoft chose to discontinue the Technet program. This was reportedly due to abuse, with people paying for Technet instead of buying Office, etc. Regardless Technet as we knew it no longer exists and any Windows Server Software obtained while the program was still active is pretty old. My lab Windows Servers were all running plain-old Server 2008.

Wanting to both transition off of an aging Windows platform, and also add to my Linux knowledge and get away from MS software for essential servers in my lab, I undertook a project to begin replacing my DHCP servers running Server 2008 with CentOS 7 servers.

The project was not that difficult, and so far seems to be successful. The instructions I used here, were very good, and if you follow them closely, they are enough to get an Linux-powered DHCP server up and running.

I did run into a couple of issues however, and will describe them here. First, when defining reservations on your server, make sure that host names are unique. You could have a situation where a notebook has a reservation for both its wired and wireless interfaces. These will need slightly different names.

Secondly, Once your server is up and running, you will want to verify it is working properly and issuing the addresses it should be. Since the CentOS server has no gun, this is a bit trickier than it would be on Windows. What you will want to do is check the /var/lib/dhcpd/dhcpd.leases file, or the /var/log/messages file. The latter will show reservations, while the former is useful for seeing normal leases.

Overall the project works well, and I look forward to the next phase, replacing Windows DNS with BIND.

Find Local Admin Accounts Within Your Windows Environment Using Powershell

Limiting the number of local admin accounts is an important way to help limit the ways an attacker can pivot within your environment. But how can you find out where all the local admin accounts are? 4sysops has a great script over at https://4sysops.com/archives/create-a-list-of-local-administrators-with-powershell/#script-usage, but if you want to make it just a little bit more useful feed it a list of every computer in your ad to check against thusly, Get–LocalGroupMembers.ps1 –ComputerName (Get-ADComputer -Filter ‘*’ | Select -Expand Name) >> file.txt. Note: You will need to have the PowerShell AD module installed for this to work properly.This will query every machine online within your environment to see who has a local admin account on what box. You can also check the output to see which machines were not available to scan the first time, and include them in subsequent scans. 

Mitigating Angry Boss Phishing Attacks From Copycat Domains

Recently there was a wave of what I like to call the Angry-Boss attacks. This usually goes something like this: A phisher sends an email to someone in your organization with the ability to make wire transfers. They say that paying off a vendor is an urgent issue requiring their immediate attention. What makes this usually work is that the phisher uses a copy cat domain. For example,  if your domain is example.com, the bad guy will send emails from a domain, like exarnple.com (look closely to see the difference.) The unsuspecting employee sees their bosses name and what looks like their email address (the attacker has done their OSINT homework), and quickly tries to comply to keep their “boss” happy. Next thing you know, tens of thousands of dollars have left your organization, possibly never to return.

How can we mitigate this? Depending on your infrastructure it should not be too hard. First, there is a program for Ubuntu (and I assume other Linuxes, but I usually have an Ubuntu machine or VM handy) called Urlcrazy. This software will take a domain name you give it and generate a list of copycat domains for you using a variety of misspellings and other techniques. Getting Urlcrazy to run does require installing an older version of Ruby and Ruby Gems. If anyone needs help with that reach out and I will put together a post on how I did that. Here you can see a list of the copycat domains generated when I ran the program against my domain.

Once we have the list of domains, the rest is pretty simple. If your organization has a good spam blocking tool in place, just add the copycat domains you generated to your list of blocked domains. Now you and your finance department can sleep a little easier.

PFSense & DansGuardian Was Not Blocking Traffic On Guest Wireless

So the in-laws came to visit, and I took the opportunity to verify that my guest wireless was filtering traffic on my PFSense firewall. Turns out it was not. I had forgotten to set up a NAT rule to forward http traffic to port 8080 for DansGuardian to pick it up. Works like a charm and now my guest wireless is as protected as the main network.