Anonymous DNS FAQ

Yesterday evening we did our first public talk about our AEON project at the ITsecx conference. AEON stands for Anonymity Enhanced Onion Nameservice which means it is a nameservice which provides anonymity by utilizing onion routing.

There have been some questions from the audience after this talk and I would like to repeat them here since they may come up again.

Q: Isn’t Tor able to do DNS lookups itself?

A: Yes, basically it is but there are some constraints. It just works if the follow-up protocol is TCP-based, such as HTTP or SMTP and it requires that the request was properly “intercepted”. This works with e.g. the Tor browser bundle in respect to HTTP or with other application like ssh or similar if they are “socksified” explicitly with e.g. tsocks. It does not work in other cases and of course it does not work if you don’t use Tor.

 

Q: If you hook gethostbyname() then Chrome will not use AEON because it uses its own resolver library.

A: Yes, but we did never say that we hook gethostbyname(;-).

 

Q: If there is a limitation in message size why don’t you use the EDSN0 extension?

A: Because the limitation occurs not due to the packet size limit but due to the maximum domain name length which is still limited to 255 bytes, even with EDSN0.

 

Q: But won’t the DNS server operator will be set up if somebody misuses them in such a way?

A: No, because we do not misuse somebody’s name server. AEON is a standalone software and is run on your own choice. Internet name servers are used in the same protocol conforming way as they are used today.

 

Q: What about the current state of your SW development?

A: We have “something” running in our lab that does “something”. But be sure, you will be the first one being informed once our SW is ready.

 

SDCard/USB-Stick write-protected on Windows 7

Have you ever had the problem that you tried to delete something on your SDcard and your operating system told you that it is not possible because the removable disk is write-protected?

Well, it never happened to me because I use Linux, hence, things usually work and if not, there is always a reason which can be debugged 😉

Unfortunately, people in my neighborhood think that I am a general problem solver concering computers just because they know that I know a lot about computers that they do not know 😉

Thus, everybody contacts me if something goes wrong with his computer…and I love this, in particular if it is Windows…duh.

Yesterday, a friend came to me with two problems. First, something is wrong with his SDcards, they are write protected, although the mechanical lock is in the right position. Second, “something” is wrong with his notebook.

I checked the SDcards on my Linux computer. Nothing actually wrong. I freshly formatted them. Now let’s look at the computer; Windows 7 installed. I did some updates and some housekeeping jobs; everything alright again. Finally, I followed my intuition and tested the SDcards on the system and — surprise! They are write-protected.

My first guess was the virus scanner — Kaspersky. I temporarily deactivated it — no success. I tried to find any option at the disk properties from the context menu from Windows explorer — no suitable options available. I tried to find any option in Windows management console (mmc); no options found. I tried to recreate the partition, reformat; no success: “Windows is unable….write-protected.”.

Ok, let’s jfgi. And there is the solution: it is easy but I just ask myself how any non-export should ever solve this problem? The solution is — as always on Windows — a registry entry.

Set the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePoliciesWriteProtect to “0“. If it does not exist just add it yourself (and don’t forget to remount the SDcard).

Multiple Bibliographies with Latex

I am currently working on a book which is a compilation of various articles dealing with virtualization techniques. All articles are written in Latex and have the same template in common which makes it much easier to combine them into a single document. There are about 20 articles with four to five pages each. In total there are about 150 references.

Although Latex is designed to layout large text documents such as articles, reports, and  books, I encountered some troubles in this case. The challenge was to have several separate bibliography sections, one at the end of each chapter. There are packages available to accomplish this. The first package I tried is multibib. It is easy to use and it seems to work fine. Unfortunately, after including several of my articles, latex failed to compile the document with following error message:

No room for a new write newcites{.....}

After an intensive search for solutions it turns out that this is due to an internal limitation of Tex without a solution (without changing the source code of Tex). It is a limitation of file handles and the implementation of multibib exhausts them. There is a thread (http://mrunix.de/forums/showthread.php?t=69304) which redefines several commands and it basically works but there are still limitations. I extended the code but finally it turned out to be too much effort.

I decided to use a different package: bibunits. And this works as expected. Thanks to Thorsten Hansen for this package.

 

Running OnionCat Services in a Highly Secure Environment

Running services within dark nets requires a lot of caution and carefulness. If the services are not configured correctly they might leak information and reveal their real location or operator. This of course is also applicable to a service based on OnionCat.

This article explains how to run an OnionCat-based service in a highly secure environment encapsulated within a virtual machine. I assume that the reader is familiar with basic network concepts, such as IP addressing, switching, and routing.

Modes of Operation

Basically there are two modes that OC may be operated in. The “regular” mode in which it runs in parallel to all other services on a server like for example an OpenVPN client. This is recommended for OC network clients and users because it is more or less plug-n-play and doesn’t require any expert knowledge. The second mode is running OC as a network gateway for a system which exists solely within the OC network.

Configuring OC as a network gateway is an extremely secure solution for running services but it is rather complex to configure it. But don’t be afraid! Once you understood it you’ll see that there’s a simple concept behind. I will now explain how this works. The picture on the right shows the basic idea. In the middle you see a system within the OC network. It is completely separated from all other networks (such as the Internet). Below there is the network gateway. It runs Tor (and/or I2P) and OnionCat. On the left hand there is a “regular” OC client which accesses a service on the isolated system through the Tor and OC network.

Configuration

Now let’s explain how to configure this. We need any virtualization technology. In this example I use XEN for explanation but it works with other technologies as well, such as KVM, VMware, VirtualBox, or similar ones.

To configure this scenario we need two guest systems. Install any Linux or whatever Un*x on them. One acts as the network gateway. Let’s call it Charlie. The other one is the isolated system. I call it Isola. The essential part of this setup is the network configuration. The picture on the left shows the network configuration diagram. The gray boxes are standalone systems. On the left Dom0 of XEN, on the upper right Charlie and below Isola. The green boxes are network adapters and the red bars show network bridges. XEN networking is running in bridging mode. Thus, the physical network card is renamed to peth0 (which usually is eth0 on Linux) and the logical interface for Dom0 is called eth0. This type of configuration is activated by the network-bridge script within /etc/xen/xend-config.sxp. All XEN bridges are configured using the bridge-utils.

Charlie gets two network cards which are named eth0 and eth1 from its point of view. The first one is the uplink to the Internet, the second one is the interface to Isola and acts as the network gateway. XEN realizes those virtual adapters within the “real” world in Dom0 by the interfaces vif1.0 and vif1.1. The first one is bridged to peth0 for a real world connection. Vif1.1 will just end up at Isola. We need another virtual bridge to do so, hence, we create it as root using the bridge-utils.

Dom-0# brctl addbr br0

The name br0 is just a random name. The connection of the virtual XEN interfaces to this bridge is done by XEN automatically during the startup of the guest systems if configured in their configuration files. Edit Charlie’s config file /etc/xen/Charlie.cfg

vif = [ 'bridge=eth0', 'bridge=br0' ]

and Isola’s:

vif = [ 'bridge=br0' ]

Now boot Charlie and Isola.

Dom-0# xm create Charlie.cfg
dom-0# xm create Isola.cfg

Within Charlie now install Tor, OnionCat, and the bridge-utils. Configure Tor and OC appropriately. Let’s assume the Onion-URL aerukz4jvpg66ajd.onion. This corresponds to the IPv6 address fd87:d87e:eb43:0123:4567:89ab:cdef:0123. It is important to run OC in TAP-mode. TAP-mode is activated by the option -p. Start OC with the following command:

Charlie# ocat -p aerukz4jvpg66ajd.onion

OC will create a TAP device named tap0. As show in the picture above this adapter must be bridged to eth1. We use a new bridge for that.

Charlie# brctl addbr br0
Charlie# brctl addif br0 eth1
Charlie# brctl addif br0 tap0
Charlie# ifconfig br0 up
Charlie# ifconfig eth1 up
Charlie# ifconfig tap0 up

Charlie is now ready. Now let’s finalize it. All you have to do is to setup the IPv6 address on Isola. To do so bring up eth0 in Isola and then configure the IPv6 address. In theory this may be done with a single command but I sometimes I had troubles doing it at once on some Kernels.

Isola# ifconfig eth0 up
Isola# ifconfig eth0 add fd87:d87e:eb43:0123:4567:89ab:cdef:0123/48

With this setup Isola is exclusively within the OC network. There is no interface to any other network. It might be useful to add a second interface to Isola to do software updates but it should strictly be down during regular operation and should just be used during the time of updating the system.

 

Downloading android apps

Have you ever tried to download an Android App with your computer? It is a pain in the ass! There are countless pages which offer free downloads. But as soon as you click the download link you are either redirected to some other page or you are kindly request to register before downloading. Some pages even do not offer any download link at all although the advertise free downloads.

In my opinion this clearly is a violation of the term “free software download“. Free download means it is for free, i.e. you don’t have to pay for it and you can download it when ever and for what ever reason you like. Nobody has to care about. And this includes: no registration! Of course, this might be different for commercial software packages because there should happen some payment in the background. (Read more about the free software definition here.)

While searching the web for some Android packages (APKs) I found the following pages which seem to offer real free download of free Android packages without registration:

 

And those pages are just kidding you. Forget’em.

  • download4a.com
  • market.android.com
  • www.androidblip.com
  • www.androidzoom.com
  • www.software112.com
  • www.tomsguide.com
  • …and many more…

Android and WPA Enterprise

Recently, I acquired a new Android-based smart phone. Just to get familiar with it, playing around, and having phun with it.
Within the context of a research project dealing with voice encryption I was instructed to write some tools and apps on Android.

On our university we have a Wifi network running in WPA enterprise mode with PEAP and an inner MSChapV2 authentication. And surprisingly it worked straightaway. Well, not really. I had to install a Wifi configuration app. I used the Advanced Wifi Configuration Manager. But then it worked – great success!

Ok, let’s guess what is the first thing a typical geek will do with his Android phone? Yes of course, rooting and installing some custom image!

So I did. Originally an Ericsson customized Android 2.1 was running on my phone, and I upgraded to 2.2 and then 2.3. Currently I use GingerDX, a good Gingerbread mod. Thanks to doixanh!

Unfortunately, I noticed that the Wifi at the university campus did not work any more. Of course I blamed those network guys first for being unable to run a Wifi network since my WPA-PSK network at home still did work. But I further noticed that the Wifi on my notebook did still work, hence, I started to investigate what’s wrong with my Android phone.

If you google for it you’ll find a bunch of answers, e.g. this http://code.google.com/p/android/issues/detail?id=8804

Lot’s of people complaining about it. I found out that there is a known bug in wpa_supplicant provided with Android 2.2 but actually this was not true for my image. I think the reason is that there are so much different hand-crafted Andoid images out there that the problem cannot be generalized.

In my case the original installation was running a wpa_supplicant version 0.5.11 and it worked. After upgrading I didn’t work any more. For what every reason unpacking the update image during the installation procedure did not overwrite the old wpa_supplicant even though it was included in the zip file. Obviously, there seems to be some incompatibility between wpa_supplicant-0.5.11 and the responsible kernel module. Probably cfg80211 or mac80211 because WPA-PSK still did work.

What I did to resolve the problem is that I manually unzipped the Gingerbread image on my Linux computer and copied over the wpa_supplicant to the smart phone. This wpa_supplicant is of version 0.6.10 and immediately it worked pretty well.

 

High Perfomance XML, OpenSeamap, and OSM

Recently, we published a library for parsing XML files. We use a completely new approach to gain parsing performance. libhpxml is a stream parser written in C.

OpenSeamap is an open source project with the aim of creating a free sea chart. It is based on OSM and uses smfilter during the process of rendering. Smfilter is based on libhpxml.
Please feel free to check out the project pages of libhpxml and smfilter. Have fun with efficiently parsing XML 🙂

 

Manual rooting Android on Linux

A quick Google search for “Rooting Android” gives numerous results; mainly forum
posts of people looking for help but also lots of good (…and bad…) answers
with detailed instructions.
Most answers describe how to use SuperOneClick on Windows.
SuperOneClick simply is a front-end for copying and carrying out the exploit.
SuperOneClick is based on .NET version 2.0 or higher and the package contains a
version of ADB, the Android Debug Bridge. Usually it is part of the Android SDK.
With ADB you can for example copy files directly to the smartphone or open a
Linux shell.

Unfortunately, SuperOneClick did not work for me. I run Debian Linux (Kernel
2.6.32) on my computer and I tried execute SuperOneClick. It always hangs at
“Getting manufacturer…”. I tried to run SuperOneClick on WindowsXP in a VM but
it didn’t work either.

Before we start:
You do this at your own risk. We are not responsible if you damage your
device.

So here we go:
First, download SuperOneClick from shortfuse.org. (Edit, 20140826: The original link seams to have disappeared, thus, you can download it from here.) Create a directory and unzip it.

mkdir foo
cd foo
unzip ../SuperOneClickv2.1.1-ShortFuse.zip

Now cd into the directory ADB and make the Linux version of adb executable.

cd ADB
chmod 755 adblinux

Now connect your smart phone. Don’t mount the USB drive on your computer. On the
smart phone go to Settings/Applications/Development and activate USB Debugging.
Now test if adb can see the smartphone.
./adblinux devices
You should see something like this:

List of devices attached
4257323032BC4C34385A device

If you don’t get a device or a list of question marks it usually is just a
matter of permissions. The best way is to reconfigure udevd.
Find out the vendor id of your smartphone.
lsusb
You get a list of devices. Somewhere you should see your smartphone and the
vendor id.

Bus 002 Device 070: ID 0fce:2149 Sony Ericsson Mobile
Communications AB Xperia X8 (debug)

Create the file /etc/udev/rules.d/50-android.rules and add the
following content:

SUBSYSTEM=="usb", ATTRS{idVendor}=="0fce", MODE="0666", GROUP="plugdev"

Restart udevd and check if adb sees your device.

sudo /etc/init.d/udev restart

Now we copy the exploit code, the su command, and the super user app to the
device.

cd ..
ADB/adblinux push Exploits/psneuter /data/local/tmp
ADB/adblinux push Root/su-v3 /data/local/tmp
ADB/adblinux push Root/Superuser.apk /data/local/tmp

Now we open the adb shell and carry out the exploit.

ADB/adblinux shell

You should get a command prompt with a dollar sign.

$ cd /data/local/tmp
$ chmod 755 psneuter
$ ./psneuter

You will get disconnected. Reconnect to the shell. If it does not work
disconnect the device from USB and reconnect it. If this also does not work
reboot your smart phone and try to execute the exploit (psneuter) again. After
reconnecting you should be root. The prompt should now be a hash sign (#). Type
id and you will see uid=0.

Now remount the system drive in read/write mode. Type mount
and you will get a list of mounted devices. Finde the line with the
/system mount point.

/dev/block/mtdblock0 on /system type yaffs2 (rw)

Now remount it, copy the files to the system directory, and set the file mode
appropriately.

# mount -o remount,rw /dev/block/mtdblock0 /system
# cat su-v3 > /system/bin/su
# cat Superuser.apk > /system/app/Superuser.apk
# chmod 06755 /system/bin/su
# chmod 0755 /system/app/Superuser.apk

You should see the new app: Superuser. That’s all folks!
I tested this on a Sony Ericsson Xperia X8 running Android 2.1 and on a Samsung
Galaxy Mini running Android 2.2.

First Version of Garlicat released

Garlicat is a VPN adapter with dynamic IP configuration capability for the I2P network. Using Garlicat you can create an IP network on top of I2P.
What OnionCat is for Tor, Garlicat is for I2P.

Garlicat and Onioncat currently share 100% of its code base. The difference lies in some constants and “constant” variables.
Nevertheless, Garlicat was branched from the main branch because some slight code changes have been necessary. If everything turns out to be stable it will be merged back.

A quick HOWTO is found here and a source package can be downloaded here.