Every time I purchase an IoT device (smart lock, bell, plug, etc.), there usually is also a way to use it by going to http://192.168.1.x but there NEVER seems to be a way to communicate it using HTTPS securely. Is this a big problem for HTTPS? Is there a solution for this? I don't want someone on my network to look at what I am sending to my device over http but I can't use https either. What can I do?
I know that TLS certificates require a hostname to verify the authenticity but these IoT devices only tell me to open the control panel using http and local IP. Does that mean all my communication with my smart device is in plain text and open for everyone to read?
Does that mean all my communication with my smart device is in plain text ...
If it is plain HTTP then yes.
... and open for everyone to read?
If everybody can read the communication inside your local network then yes. Fortunately in most local networks this is not the case. For example if you have your own WLAN which is properly secured with WPA2 and a strong password then only the ones which know this password can access the local network - but these would be able to sniff the traffic to the IoT device then.
... but there NEVER seems to be a way to communicate it using HTTPS securely.
This depends on the actual device, i.e. some might offer HTTPS but many still don't. If this is a problem for you since your network is open to potential attackers then you better put these devices in a separate network where only you have access to.
Related
I want to create a Minetest server on my Raspberry Pi 3 in my own network.
I know some discussions have been made (like Any risks in installing my own http server?), but I want to create a Minetest server.
I would like to know
• If it's dangerous to create a server in my own network
• If I can make a protection if it's dangerous.
Thanks
PS : Sorry for the mistakes, I'm French!
I'm going to assume here that you're intending to serve this internally. You certainly wouldn't want to put an external game server on a network that was also shared by your household. The Raspberry PI is assumed to be internal itself without a public IP or any way to be addressed beyond the local network.
Realistically speaking, you can probably assume an internal network is safe enough for inconsequential internal services, if physical and wireless access is adequately controlled. Looks like minetest is a game server, so unless you combine its server with other far more sensitive tasks, it's not like there's any dire consequence to unauthorized access.
But that perspective does seem a little naive, doesn't it? If access were to occur, the raspberry pi could probably be compromised, and from there, the IoT devices in the home, other private services, etc are at risk too. So, perhaps you're just a little too paranoid / experienced / virtuous to leave it at that.
If so, we can probably assume that the connection itself doesn't support much in the way of encryption, but it's likely we can successfully tunnel the connection in any number of ways to add an encryption layer "between" client and server.
The simplest of these is probably ssh. You're already using it to manage your raspberry pi, probably, and if you're not, you might want to (I for one need copy/paste between web and terminal, and I don't want to run gui on pi!). SSH offers a much higher standard of security than most protocols.
Conceptually, you execute an ssh client locally on the game client configured to open a local port on the game client, and forwards packet recieved on that port to a remote port on the ssh server. The remote port need not be accessible on the network directly, only ssh ( the game server would listen on localhost). The ssh tunnel uses strong encryption methods to pass the traffic over the untrusted network ( yours, or perhaps any network for some traffic ).
The process when implemented, would look something like this:
actiate ssh server on pi if not yet done,
obtain ssh client for game client machine. ( Putty for old windows, built in for linux or osx etc, new windows might have better support).
generate ssh keypair on client (each client should do these steps. private keys are ideally never transferred. )
add public key to ssh user on pi and verify that you can login without password
Use SSH tunnel in oyur client to create a local port that tunnels to the remote game server port. https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ looks like a good putty tutorial, https://www.revsys.com/writings/quicktips/ssh-tunnel.html looks decent for unixy environs.
I prefer to take the safe and lazy route, assuming no network is necessarily secure, and weighing the convenience of accessibility against the securiry concerns. Using an ssh tunnel is, once you get used to it, a simple and straightforward way to access services across any untrusted network, by it your own, a public wifi, or the internet at large.
First and foremost, my knowledge of this subject is limited. So i'm reaching out to learn more information..Any support would be greatly appreciated.
I've been trying to use wireshark to learn more about different network traffic, how protocols work, etc. Specifically, i've been trying to see how it's possible to sniff a user/pass off my friend's website (don't worry, he made it soley to help me and there are no inappropriate intentions). He made a basic HTTP website to ensure the minimum security. When i log in, on my computer, using my own username and pass, i can see that wireshark captures my information and i'm able to see my own username and pass.
However, if i use my phone to log in (w/ my own information), or if he logs in from his own computer, those username and passwords don't show up. Nothing shows up. I'm confused because we both expected that information to appear on wireshark like it did when i signed in from my computer.
As i mentioned above, my knowledge isnt deep with this topic, so any point of direction would be helpful!
Wireshark lets the user put network interface controllers into
promiscuous mode (if supported by the network interface controller),
so they can see all the traffic visible on that interface including
unicast traffic not sent to that network interface controller's MAC
address.
If you've set up Wireshark to capture the traffic on your computer, you will see all the traffic between your network interface and the server hosting the website.
However, Wireshark will not be able to capture the traffic from the network interface on your phone to the server.
If you set up Wireshark to capture the traffic on the server itself, then you will be able to see all the traffic in and out of it from any device used.
Did you use teamviewer? (comic question i know... Who doesn't use it?)
Do you have any idea how does teamviewer make connection even if i am behind the router, firewall, switch and my local firewall..?
I'm trying to imagine a connection that is between remote machinge and my computer. Remote machine is sending the packets (and its header (for instance, destination IP, message body)) to me but it only knows my id number(which is given by my local teamviewer application).
And this packets are reaching to my computer even if there is a juniper firewall (and also my windows firewall).
What kind a message body is recieving by computer? (of course it is not like xml, text, html, excel :)
Do you have any idea?
PS. Please share your knowledge like you are explaining to beginner level user.
The software is communicating with a central server, and has made an outbound connection. When you start TeamViewer, it will try to make a direct connection, but if both directions fail that (ie. firewall or NATting at both places), then it will fall back on communicating through a server.
This is basically the same approach most online games use. Changes at one end is sent to a central server, and is then relayed back to other connected computers.
We meet a testing scenario which needs to tamper with source IP address of a Http request to simulate clients coming from different countries. Do you know any tool help on this?
Last but not least, our web site is built with ASP.NET.
Thanks.
In a test environment it usually isn't difficult. First read this SO question about virtual network interfaces.
If the server and client are on the same machine, all you have to do is figure out how to get your client software to bind to your virtual interface.
wget for instance has the --bind-address option to specify which local address to bind to. Web browsers are a bit more difficult to do this with; you may need to just run it in a VM.
If your server and client are on the same LAN, you just need to configure your router with some static routes to your client machine. In this case you probably don't need a virtual network interface, just set a static IP for your client machine; as long as the gateway is set up correctly it should be able to send packets to the server, and as long as the route is set up correctly the replies should find their way back to the client.
If the client and server are separated by an internet, it's rather more difficult. One option is to set up a network tunnel endpoint on the server and tunnel it to the client machine, which "knows" that it has the virtual network interface.
As noted in answers to the ServerFault question "Are IP addresses trivial to forge", you cannot easily forge source addresses in a protocol that required two way communication (e.g. TCP). Note that this "two way communication" is required at the packet level. You cannot just say "no problem, I want to send requests and ignore HTTP responses." To establish a TCP session, you need to receive data. Your best bet is to use a proxy server.
I am unsure if the IP standard allows for this, but if you are working in a Lab environment, where you don't need internet connectivity during the test, I can see it working under following circumstances:
Basically, I would set the server's network interface to use netmask 0.0.0.0 and flush the rest of the routing table.
Then you could configure a client machine to take on any IP address as long as you use netmask 0.0.0.0. And two-way communication should be possible.
Server[1.2.3.4/0] <---> Client[x.x.x.x/0]
But please bear with me. I haven't tested this, so I could be wrong :-)
If you have access to your infrastructure, you can add an interface off the router and then place a static route on the router to that network.
Server-----Router----Internet
/
Test_PC----/
Alternatively you can look into PBR (Policy Based Routing) and on the routers you can flag source packets and change the source on the fly, so your server will think they are coming from where you'd like them to come from.
Server-------------Router_with_PBR-------------Internet----- PC
SCR:4.2.2.2 Change SCR:6.6.6.6 to 4.2.2.2 6.6.6.6
But you have to ask yourself why do you want to see when packets come from different countries. Some countries have massive proxy servers that filter access ( "Great Firewall of China"), so the above tests will not prove much.
Your best bet then is using proxy servers or if your looking for a long term solution then setup a server (virtual is great for this) and use RDP for testing. I'm sure you can rent a virtual server somewhere for a month or two.
That's not possible. Because when you forge the ip address, the response is never going to come back, which is required for http.
The best way is to use proxies. See also this question on serverfault.
If you change your source IP address, that means no traffic from your web server will be able to reach back to the client.
You might be able to use some kind of proxy and/or address translation filter to do the remapping while still allowing two-way communication.
In an ASP.NET (C#) WebApp, I can get the IP of the visitors' PC easily, But How to get the MAC address of the visitors' PC in an ASP.NET webApp?
And this ASP.NET app is runing on the inner intranet of our company, and the visitors are also in the same inner intranet of our company.
The MAC address is not part of the IP header (or any other protocols above that), and thus not available if all you see is the HTTP traffic.
EDIT (after OP's update): Since clients and servers are on the same internal network, wouldn't it be better to get a host name from the IP address instead of the MAC address? You can easily look up the host name based on the IP address.
The answer that immediately comes to mind, is that this is only possible if you write an ActiveX control that runs in the client browser to obtain this information on your behalf. On the other hand it might be possible with JavaScript on the client if the javascript can instantiate a COM object that will get the information. The only other way I can think of is have a windows service that does an ARP request once the IP has been captured.
You can't easily do this. There are protocols such as ARP which allow translation between MAC and IP addresses, but this traffic is typically behind a firewall and so not available to you on a public website.
On an intranet, you might be able to do something, but not via ASP.NET. You would need to use other mechanisms to capture this information - but those kinds of tools (e.g. packet sniffers) are generally not available to developers and may contravene corporate IS policies.
Since you're on the same subnet, you can P/Invoke GetIpNetTable to get the webserver's ARP table. If you do this real-time, no additional work would be necessary - since you're having a conversation with the client, you'll have the ARP info. Otherwise, you'd need to construct an ARP request or some IP traffic (say, a ping) to get it in the cache - and note that due to DHCP and other network vagaries (like a machine being turned off), it is possible that converting IP to MAC later will yield a different answer.
Note also that any external clients (ie., ones across a router) just won't show up in the table - so be prepared to deal with that as well. If you need a MAC for them for some reason, it's technically your router's MAC.