Tag Archives: Security

How to connect to .onion Tor domains with Firefox on Linux

So you are looking for an easy way of surfing the hidden network of .onion domains?. Many people probably will use some of the proxies available to reach the .onion domains. Unfortunately this is not a good idea for your privacy since the proxy owner can spy all your communications.

So, I’m going to explain in 3 easy steps how to configure Firefox to access .onion domains directly through your local Tor daemon. This way, we ensure all traffic goes directly to the tor network.

  1. Install Tor daemon.
  2. On Debian/Ubuntu Linux distributions this is as easy as:


    • sudo apt-get install tor
  3. Configure Firefox to tunnel requests to .onion domains via the Tor network
  4. This is the tricky part, because we only want Firefox to tunnel requests to .onion domains via the Tor network, but we don’t want Firefox tu tunnel all the other requests via the Tor network. To achieve this we are going to use a proxy configuration file.

    • Save the following content in a file (for example as ~/.proxy_pac)
      function FindProxyForURL(url, host) {
          isp = "PROXY ip_address:port; DIRECT";
          tor = "SOCKS 127.0.0.1:9050";
          if (shExpMatch(host,"*.onion")) {
              return tor;
          }
          return "DIRECT";
      }
      
    • And configure Firefox to use that file as a proxy configuration file (Edit->Preferences->Advanced->Network->Settings->Automatic proxy configuration URL).
      • You have to use the following syntax: file://absolute-path-to-the-file
      • If you are not sure, just open a new firefox window, and type on the browser location bar (the place where you type web addresses) the following URL file://. Now just browse your HDD to where you saved that file, right click on it and select Copy Link Location. Now paste such link location on the Automatic proxy configuration URL settings.
  5. Configure Firefox to tunnel DNS queries via a SOCKS5 proxy
  6. The last step is to tell Firefox that it should tunnel the DNS lookups via the Tor SOCKS5 proxy when we want to access a .onion domain. By default firefox will try to resolve .onion domains using our local DNS resolver, therefore it will fail to do that.
    To fix this, we should enable network.proxy.socks_remote_dns on the advanced configuration page:

    • In the browser location bar (the place where you type web addresses), type about:config and press Enter. This opens a different set of Firefox preferences. Where it says Search: at the top, type network.proxy.socks. The list of preferences will automatically change to show your proxy preferences.
      Highlight network.proxy.socks_remote_dns by clicking it only once. Then, right-click it. This opens a small pull-down menu. Select Toggle from the menu to change its value to true.

    This will make Firefox to tunnel all the queries to .onion domains via our local Tor daemon. This also adds privacy by preventing DNS queries to .onion domains from leaking.

Now restart Firefox and you should be able to surf .onion domains directly.

Unlocking a LUKS encrypted root partition remotely via SSH

If you are thinking on sending a new server to a remote datacenter for colocation or you have rented one or more servers in the cloud, probably you have thought that you would like to encrypt your server’s hard disk.

The problem is that if you encrypt the whole hard disk (the root partition) you will need some kind of KVM to type the password remotely every time the server is restarted … sure??? No!

Thanks to this nifty trick, you can enter the password remotely during the boot process. The trick involves embedding a small ssh server (dropbear) in the initramfs that allows you to enter the password remotely for the root partition at boot time.

For those who are lucky enough to use Debian, the procedure is so simple and easy as ::

1) Install your server with the root partition encrypted.

2) Install the required packages:

apt-get install openssh-server dropbear busybox

3) Copy the SSH key that has been generated automatically

scp root@my.server.ip.addr:/etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa.initramfs

4) If your server gets the IP address automatically (DHCP) ignore this step, otherwise you have to specify the IP configuration at the Kernel boot line. To do this edit the file /etc/default/grub and define the line:

GRUB_CMDLINE_LINUX="ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>"

Using the format specified in the file Documentation/nfsroot.txt of the Linux kernel documentation. For example:

GRUB_CMDLINE_LINUX="ip=192.168.122.192::192.168.122.1:255.255.255.0::eth0:none"

Reload the grub configuration

update-grub

5) Reboot

reboot

6) And unlock remotely!

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
	-i "~/id_rsa.initramfs" root@my.server.ip.addr \
	"echo -ne \"MyS3cr3tK3y\" >/lib/cryptsetup/passfifo"

And for those not lucky enough to use Debian, and also for those who have such luck, but want more details on this procedure, I am pasting here the archive cryptsetup/README.remote from Debian that I am sure that you will find very useful :)

$ zcat /usr/share/doc/cryptsetup/README.remote.gz

unlocking rootfs via ssh login in initramfs
-------------------------------------------

You can unlock your rootfs on bootup from remote, using ssh to log in to the
booting system while it's running with the initramfs mounted.


Setup
-----

For remote unlocking to work, the following packages have to be installed
before building the initramfs: dropbear busybox

The file /etc/initramfs-tools/initramfs.conf holds the configuration options
used when building the initramfs. It should contain BUSYBOX=y (this is set as
the default when the busybox package is installed) to have busybox installed
into the initramfs, and should not contain DROPBEAR=n, which would disable
installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will
be installed in any case; if DROPBEAR isn't set at all, then dropbear will only
be installed in case of an existing cryptroot setup.

The host keys used for the initramfs are dropbear_dss_host_key and
dropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/.
If they do not exist when the initramfs is compiled, they will be created
automatically. Following are the commands to create them manually:

# dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
# dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key

As the initramfs will not be encrypted, publickey authentication is assumed.
The key(s) used for that will be taken from
/etc/initramfs-tools/root/.ssh/authorized_keys.
If this file doesn't exist when the initramfs is compiled, it will be created
and /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it.
If the latter file doesn't exist either, it will be generated automatically -
you will find the matching private key which you will later need to log in to
the initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear
in case you need it in dropbear format). Following are the commands to do the
respective steps manually:

To create a key (in dropbear format):

# dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear

To convert the key from dropbear format to openssh format:

# /usr/lib/dropbear/dropbearconvert dropbear openssh \
	/etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
	/etc/initramfs-tools/root/.ssh/id_rsa

To extract the public key:

# dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | \
	grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub

To add the public key to the authorized_keys file:

# cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys

In case you want some interface to get configured using dhcp, setting DEVICE= in
/etc/initramfs-tools/initramfs.conf should be sufficient.  The initramfs should
also honour the ip= kernel parameter.
In case you use grub, you probably might want to set it in /boot/grub/menu.lst,
either in the '# kopt=' line or appended to specific 'kernel' line(s).
The ip= kernel parameter is documented in Documentation/nfsroot.txt in the
kernel source tree.


Issues
------

Don't forget to run update-initramfs when you changed the config to make it
effective!

Collecting enough entropy for the ssh daemon sometimes seems to be an issue.
Startup of the ssh daemon might be delayed until enough entropy has been
retrieved. This is non-blocking for the startup process, so when you are at the
console you won't have to wait for the sshd to complete its startup.


Unlocking procedure
-------------------

To unlock from remote, you could do something like this:

# ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
	-i "~/id_rsa.initramfs" root@initramfshost.example.com \
	"echo -ne \"secret\" >/lib/cryptsetup/passfifo"

This example assumes that you have an extra known_hosts file 
"~/.ssh/known_hosts.initramfs" which holds the cryptroot system's host-key,
that you have a file "~/id_rsa.initramfs" which holds the authorized-key for
the cryptroot system, that the cryptroot system's name is
"initramfshost.example.com", and that the cryptroot passphrase is "secret"

-- <debian@x.ray.net>, Wed, 30 Sep 2009

War Games

I have discovered a funny and didactic online game where you can test and improve your hacking skills. The objective of the game is to hack a Linux server and scale user privileges.  You start with user level1 and you must exploit several bugs on the system to get access to the highest levelX that you can achieve.

There are various game servers each one with different bugs that you can exploit to level up. When you get access to a level you can leave your firm on the server.

For example you can try the game blowfish that I love (currently I am stuck at level5 )

Telnet to blowfish.smashthestack.org port 6666 to recieve an encrypted passwd.
#decrypt it and log in to level2 (If you are too lazy to decrypt it google can help you)
ssh level2@blowfish.smashthestack.org -p 2222
#follow the hints and try to get access to level13

Your mission is not to get root (but if you do you would win the medal of honor 😉