Douane: easy firewall with app rules

Douane is a learn as you go firewall that asks for user preferences on what network traffic to allow. Douane Firewall identifies the new applications as soon as they attempt to make a network transfer and blocks it till the user allows it. A rule for the application is created based on user selection.

Douane is implemented as a Linux kernel module in its core. It supports kernel version 3 or higher and uses the Netfilter library. The user interface is written in Python 3 and Gtk 3 making it easily portable over multiple Linux distributions. The Dialog Process generates the GUI dialogs when an unknown activity is detected. The Configurator or control panel interface allows users to configure the firewall from a central place. The last component of Douane is the Daemon process that makes use of DBus to provide a server for inter-component communication and asks users or reminds them of their decisions to allow/deny network traffic.

Features

  • Per application allow or deny traffic
  • Start/stop the firewall
  • Enable/disable the firewall autostart at boot
  • Configure rules
  • Shows latest tweets from Douane

Installation

Packages are available only for Arch Linux at the time of writing. The compilation steps for Ubuntu are:

Compilation area

$ mkdir ~/Douane
$ cd ~/Douane

Kernel module

$ sudo apt-get install dkms
$ git clone https://github.com/Douane/douane-dkms
$ cd douane-dkms
$ sudo make dkms

Being a dkms module, Douane will be recompiled automatically after kernel upgrades.

Daemon process

$ sudo apt-get install libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev
$ cd ~/Douane
$ git clone https://github.com/Douane/douane-daemon
$ cd douane-daemon
$ git submodule init && git submodule update
$ make
$ sudo make install

To start the daemon:

$ sudo service douane start

Dialog process

$ sudo apt-get install libboost-signals-dev libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libgtkmm-3.0-dev
$ cd ~/Douane
$ git clone https://github.com/Douane/douane-dialog
$ cd douane-dialog
$ git submodule init && git submodule update
$ make
$ sudo make install

To start the process:

$ douane-dialog &

Configurator

$ sudo apt-get install python3 python3-gi policykit-1 python3-dbus
$ cd ~/Douane
$ git clone https://github.com/Douane/douane-configurator
$ cd douane-configurator
$ sudo python3 setup.py install

Webpage: Douane

VPNDaemon: monitor VPN connections

p2p_network_compMany of us use VPNs to connect to office network or protect our online footprints. However, a VPN disconnection may lead to malfunctioning of your applications or reveal your identity when connecting via the normal connection. VPNDaemon is a tool to monitor a VPN connection and kill any program when there is a disconnection. Continue reading VPNDaemon: monitor VPN connections

go-wol: Wake on LAN in Go

p2p_network_compgo-wol is Wake on LAN packet generator written in Go. Wol on LAN (WOL) is a data link layer protocol to wake up systems remotely by sending a magic packet to the network card. Note that WOL should be supported by the hardware. Normally there is a setting in system BIOS to enable or disable WOL.

The WOL enabled device listens for a magic packet with its MAC address encoded in WOL scheme. As the protocol works in the data link layer, IP address is irrelevant. The magic packet has 6 bytes of 0xff followed by 16 repetitions of the target device’s MAC address (total of 102 bytes). go-wol generates this magic packet with the MAC address provided by the user and sends it out as a UDP broadcast.

Features

  • Wake up devices remotely using WOL
  • Store and manage MAC address aliases

Installation

To install the package you need to have golang packages installed on your device. Run the following commands to install go-wol:

$ sudo apt-get install golang
$ go get github.com/sabhiram/go-wol

Usage

  • Wake up a device
    $ wol wake 00:11:22:aa:bb:cc
  • Store an alias
    $ wol alias skynet 00:11:22:aa:bb:cc

    Aliases are stored in ~/.config/go-wol/aliases

  • Wake up a device using alias
    $ wol wake skynet
  • List aliases
    $ wol list
  • Delete an alias
    $ wol remove skynet
  • Specify broadcast IP and port
    $ wol wake 00:11:22:aa:bb:cc -b 255.255.255.255 -p 7
    OR
    $ wol wake skynet --bcast 255.255.255.255 --port 7

    Default broadcast IP: 255.255.255.255, port: 9

  • Supported MAC address formats
    01-23-45-56-67-89
    89:0A:CD:EF:00:12
    89:0a:cd:ef:00:12
  • Unsupported MAC address formats
    1-2-3-4-5-6
    01 23 45 56 67 89

On GitHub: go-wol

Packet Sender: send receive network packets

Packet Sender is a handy utility to send or receive TCP and UDP packets. It is also an excellent tool (like Ostinato) to learn or analyse network packets as it shows the whole packet to be sent in hex. A packet has a name, destination address (domains will trigger an IP lookup), port, and data associated with it.

Features

  • GUI and CLI interfaces
  • Send multiple packets simultaneously
  • Edit fields of saved packets
  • Resend packets
  • Supports mixed ASCII and HEX notation
  • Optional response
  • Copy raw packet data to clipboard
  • Roll traffic log
  • Import or export packets
  • Supports Linux, Windows and Mac. The Android version is commercial.

Installation

The pre-compiled packages for Ubuntu is available for download here. Note that version 2.0 needs Qt 5.4.

Usage

The GUI is self-explanatory. Available cmdline options:

Syntax: packetsender [options] address port data

Options:
-?, -h, --help      Displays this help.
-v, --version       Displays version information.
-q, --quiet         Quiet mode. Only output received data.
-x, --hex           Parse data as hex (default).
-a, --ascii         Parse data as mixed-ascii (like the GUI).
-A, --ASCII         Parse data as pure ascii (no \xx translation).
-w, --wait    Wait up to  for a response after sending. Zero means do not wait (Default).
-b, --bind    Bind port. Default is dynamic.
-t, --tcp           Send TCP (default).
-u, --udp           Send UDP.
-n, --name    Send previously saved packet named . Other options overrides saved packet parameters.

-Arguments:
-address    Destination address. Optional for saved packet.
-port       Destination port. Optional for saved packet.
-data       Data to send. Optional for saved packet.

Example usage:

$ packetsender -taw 500 ubuntu.com 22 "Hello\nWorld"
TCP (56620)://91.189.94.156:22 48 65 6c 6c 6f 0a 57 6f 72 6c 64
Response HEX:53 53 48 2D 32 2E 30 2D 4F 70 65 6E 53 53 48 5F 35 2E 33 70 31 20 44 65 62 69 61 6E 2D 33 75 62 75 6E 74 75 33 2E 31 2E 49 53 2E 31 30 2E 30 34 0D 0A
Response ASCII:SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3.1.IS.10.04\r\n

Webpage: Packet Sender

Wonder Shaper: limit interface bandwidth usage

cool_penguin_smallWonder Shaper can control the bandwidth usage of an interface and balance uplink downlink speeds. The intention is similar to tools like NetHogs or trickle. The utility is a shell script that uses tc for traffic shaping and QoS for an interface. Outgoing requests are placed in queues of different priorities and incoming ones are controlled by packet dropping.

The stated goals of the project are:

  • Maintain low latency for interactive traffic. Services like Telnet or SSH should not appear sluggish.
  • Allow surfing at reasonable speeds during upload and download.
  • Make sure uploads don’t harm downloads, and vice versa.

Installation

To install Wonder Shaper on Ubuntu:

$ sudo apt-get install wondershaper

Usage

  • Show the status of traffic shaping on an interface
    $ wondershaper wlan0
  • Remove traffic shaping from an interface
    $ wondershaper clear wlan0
  • Shape traffic for an interface by specifying downlink and uplink speeds in kilobits per second
    $ wondershaper [ interface ] [ downlink ] [ uplink ]
    e.g.
    $ wondershaper wlan0 100000 20000

Webpage: Wonder Shaper

More network tools from ntop devs

If you are not familiar with it, ntop is a tool that shows the network usage, similar to what the popular top command does. While ntop is a very useful utility, the developers didn’t stop at that. They offer many more free network utilities for network monitoring, capture, replay, analysis and VPN. In this article we will explore those. Continue reading More network tools from ntop devs

wifiphisher: automated WPA phishing (MitM) attacks

wifiphisher_compwifiphisher is a semi-automated python utility that tries to reveal the WPA password of a WiFi connection using social engineering. The technique is different from the brute-force attack used in tools like Pyrit. wifiphisher is installed by default on Kali Linux. In this article we will explain how to install and run it on Ubuntu.

wifiphisher uses a 3 stage procedure to retrieve passwords:

  1. Use DDoS (Denial of Service) methods to disconnect the victim. The tools sends de-authorization packets from the access point to the client and vice versa. It also sends the same to the broadcast address.
  2. Creates a rogue access point based on the target access point’s settings. It also fakes NAT/DHCP sesrver and does port-forwarding. Due to continuous attacks, the victim is forced to connect to the rogue access point. Hence, a Man in the Middle attack is initiated.
  3. Once the victim joins the rogue access point, he is served a router configuration page that looks authentic. It prompts for a router firmware upgrade and requests the password. If the victim enters the password, the tool reveals it in the console.

Installation

Besides software dependencies, wifiphisher needs two wireless network interfaces, one capable of injection (how to test).

To install wifiphisher on Ubuntu:

$ sudo apt-get install python-scapy tcpdump isc-dhcp-server hostapd
$ git clone https://github.com/sophron/wifiphisher.git

Usage

To run wifiphisher:

$ cd wifiphisher
$ sudo ./wifiphisher.py
OR
$ sudo python ./wifiphisher.py

The steps beyond this are self-explanatory. wifiphsher detects the accessible access points. You need to press <Ctrl-c> and enter the access point number of the victim’s WiFi. wifiphisher starts the attack. From here, everything is automatic and if it can lure the victim into entering his/her password, you get it in your console.

Detected Access Point list

A successful attack

wifiphisher options:

Short form Long form Explanation
-m maximum Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
-n noupdate Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
-t timeinterval Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like ‘no buffer space’ try: -t .00001
-p packets Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
-d directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-a accesspoint Enter the MAC address of a specific access point to target
-jI jamminginterface Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
-aI apinterface Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

Note that wifiphisher may not work under several circumstances – the victim may smell something fishy and back-off or he may not remember the access point password which is often saved and not memorized. In addition, secondary systems would likely trigger warnings when the target is redirected to the cloned login page, mainly because the ‘duped’ page is not created in a secure and authenticated environment.

On GitHub: wifiphisher

Effective SSH on Ubuntu

terminalUsing SSH to connect to a remote system is a part of the job for many people. There are many tweaks available to play around with SSH. However, you may not always be using the same system to connect from. Here’s a quick guide to give you a responsive experience over SSH even with X forwarding. All the changes are on the client-side. So whether it would work depends on how the server is configured too. However, in a secured network, you may not be allowed to change anything on the server which is why there are no SSH server config changes here.

In the rest of the article ssh config file refers to /etc/ssh/ssh_config on the client system from which you are connecting.

Forward X11

$ ssh -X user@remote.com

or, add the following in the ssh config file to do that permanently

Host remote.com
ForwardX11Trusted yes //if you trust remote.com
ForwardX11 yes //even if remote.com is untrusted

Compression and reasonable encryption

$ ssh -XC -c blowfish-cbc,arcfour user@remote.com

or, add the following to ssh config file

Host remote.com
 Compression yes
 Ciphers blowfish-cbc,arcfour

Disconnect hung connection

It happens more often than you think! You can get out of a hung SSH connection by keying in

Enter~.

i.e., you press Enter, then ~, then .

Re-use connections

This one is a bit risky because if the master session hangs, the newly created ones will also hang forcing you to delete the socket or manually kill it.

To try it out, add the following in the config file

Host *
ControlMaster auto
ControlPath /tmp/ssh_mux_%h_%p_%r

If you can’t avoid using SSH from mobile or tablet devices, check out mosh.

vnstat: monitor internet data usage

cool_penguin_smallIf you have a data transfer limit on your internet connection you might want to keep a tab on how much data you have consumed already. The ISP stores the information in its servers and might provide you an option to view it. If it’s not there, try vnstat, written exactly to solve this problem. Continue reading vnstat: monitor internet data usage