I am looking for an export function in Wireshark (or tshark, whatever) to save my decrypted ESP paquets (decrypted with SPI, AES128-CBC, HMAC-SHA1 keys).
Displayed paquets are decrypted but if I save them to a pcap file (With File > Save specific paquets), they are save as encrypted ...
Same with tshark -r my.pcap --w out.pcap ...
Any idea ?
I have no idea whether Wireshark supports such feature.
If the capture file was decrypted on PC1 and you want to see it on PC2, append your PC1's esp_sa file to PC2's esp_sa and add a newline to the end of PC2's esp_sa.
esp_sa is a text file and you can find it under
C:\Users\YourUserName\AppData\Roaming\Wireshark\
Related
I have a hash file from the image, my device is Surface Pro BitLocker encrypted image
Recovery Key hash #0:
$bitlocker$2$16$57debb77a3b130a92397f8c063049274$1048576$12$20cfa3155178d70198020000$60$ad91090585684fe3da68e053c0cbfdaae24e8bd5c6b50978790b964d3b2a808c3394a833c690cc9c99c0364d9df1fac40bdcadcd2b987a7d780bfdc3
when I run
hashcat.exe -m 22100 bitlocker.txt rockyou.txt
I get an error
Hashfile 'bitlocker.txt' on line 1 ($bitlo...9df1fac40bdcadcd2b987a7d780bfdc3): Salt-value exception
No hashes loaded.
Note also that Hashcat only supports $bitlocker$1$...
You should try to extract a $1 hash ... alternatively it should work with bitcracker
We have a centralized rsyslog infrastructure capturing events from TCP sent by devices around the world using imtcp module.
The idea is to read from syslog (TCP) and store the events to disk, one line per event. The events are later processed by other consumers.
As far as we can see, some events are splitted in multiple events once they are stored on the disk breaking the rest of our process.
Capturing one single package with tcpdump, we confirmed that the source syslog is sending us the whole event containing multiple lines (typical java exceptions).
[root#xx xx.xx.xx.xx]# tcpdump -i bond0 tcp port 50520 -A -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:12:26.062110 IP xx.xx.xx.xx.com.41444 > xx.xx.xx.com.50520: Flags [P.], seq 3270590174:3270590613, ack 2646946316, win 27, options [nop,nop,TS val 3937801207 ecr 2623497312], length 439
E....`#.<.ML..A....N...X..>...2......q.....
....._d`<13> xxx #2.0.#2021 02 10 12:19:50:898#+00#Info#com.xx.xx.xx.xx.xx#
##JavaEE/xx#xx#xx#JavaEE/xx#com.xx.xx.xx.xx.APIServiceHandler#xx#xx##xx#xx##0#Thread[HTTP Worker [#xx],5,Dedicated_Application_Thread]#Plain##
Is the user getting thru SSO? xx:true#
1 packet captured
44 packets received by filter
2 packets dropped by kernel
As this is a global system, we cannot request the device owners to modify the format, all the actions should take place on our side.
This is our rsyslog.conf file
$MaxMessageSize 128k
# Global configuration/modules
module(load="imtcp" MaxListeners="100")
module(load="imfile" mode="inotify")
module(load="impstats" interval="10" resetCounters="on" format="cee" ruleset="monitoring")
module(load="mmjsonparse")
module(load="mmsequence")
module(load="omelasticsearch")
module(load="omudpspoof")
# Include all conf files
$IncludeConfig /etc/rsyslog.d/*.conf
And this is our template that reads from tcp and writes to file (etc/rsyslog.d/template.conf)
template(name="outjsonfmt_device" type="list") {
constant(value="{")
property(outname="device_ip" name="fromhost-ip" format="jsonf")
constant(value=",")
property(outname="time_collect" name="timegenerated" dateFormat="rfc3339" format="jsonf")
constant(value=",")
constant(value="\"device_type\":\"device\"")
constant(value=",")
property(outname="collector_id" name="$myhostname" format="jsonf")
constant(value=",")
property(outname="msg" name="rawmsg-after-pri" format="jsonf" )
constant(value="}\n")
}
template(name="device-out-filename" type="string" string="/data1/input/device/%fromhost-ip%/device_%$now-utc%_%$hour-utc%.log")
ruleset(name="writeRemoteDataToFile_device") {
action(type="omfile" dynaFileCacheSize="10000" dirCreateMode="0700" FileCreateMode="0644" dirOwner="user" dirGroup="logstash" fileOwner="user" fileGroup="user" dynafile="device-out-filename" template="outjsonfmt_device")
}
input(type="imtcp" port="50520" ruleset="writeRemoteDataToFile_device")
How can we configure rsyslog to escape line breaks in the middle of an event, prior to write the event to disk? We already tried $EscapeControlCharactersOnReceive with no success and other similar parameters
The imtcp has a module parameter DisableLFDelimiter which you could try setting to on to ignore line-feed delimiters, assuming your input has an octet-count header. The page says, This mode is non-standard and will probably come with a lot of problems.
module(load="imtcp" MaxListeners="100" DisableLFDelimiter="on")
I can access a REST API using curl by sending a system command and using pipe as below
filename fn pipe "curl -k -u &user.:&pass. 'https://blahblah.com/rest/api/content/108428908/child/attachment' ";
data new;
infile fn;
input;
put _infile_;
run;
This works, but I'd like to use PROC HTTP so I get the response back in a .json file rather than in the log, and I can use SAS password encryption. Here's my PROC HTTP code:
filename out "/blah/blahblah/output.json";
proc http
url = 'https://blahblah.com/rest/api/content/108428908/child/attachment'
method = "GET"
webusername = "&user"
webpassword = "&pass"
out = out
;
run;
This works as far as giving me a json file, but the json file I get back says "User not permitted to view attachments on content", which is the response I was getting from curl before adding the -k option (i.e. --insecure).
So how can I do the equivalent of -k in PROC HTTP? (Tell SAS not to check the SSL Cert). Modifying any options outside of those which can be specified within the .SAS file is not an option, as I don't have the access to change those.
Is setting the SSLREQCERT flag an option? According to this it looks like you can use the ALLOW option to tell the server to allow connections that fail the SSL handshake.
The most correct answer here is to NOT ignore the SSL issue and instead add the certificate to the appropriate trust manager/key store on the machine where you are running PROC HTTP. The method by which to do this varies by OS and SAS version. This documentation page will provide some insight into how to do this.
I'm trying to automate centos installs via PXE and kickstart with encrypted filesystems. In case we mislay the passphrase we want to use escrow files and encrypt them using the public key attached to an x509 certificate obtained from a web server. The relevant line in the kickstart file is
logvol /home --fstype ext4 --name=lv02 --vgname=vg01 --size=1 --grow --encrypted --escrowcert=http://10.0.2.2:8080/escrow.crt --passphrase=XXXX --backuppassphrase
Leaving the cert as PEM encoded on the web server rather than DER doesn't seem to matter, either work up to a point.
The filesystem is created and encrypted using the supplied passphrase and can be opened on reboot with no issues. Two escrow files are produced as expected and if by using the NSS database containing the private key and the first escrow file I obtain what I think is the passphrase but it doesn't unlock the disk. For example:
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow
Data encryption key:<span class="whitespace other" title="Tab">»</span>817E65AC37C1EC802E3663322BFE818D47BDD477678482E78986C25731B343C221CC1D2505EA8D76FBB50C5C5E98B28CAD440349DC0842407B46B8F116E50B34
I assume the string from 817 to B34 is the passphrase but using it in a cryptsetup command does not work.
[root#mypxetest ~]# cryptsetup -v status home
/dev/mapper/home is inactive.
Command failed with code 19.
[root#mypxetest ~]# cryptsetup luksOpen /dev/rootvg01/lv02 home
Enter passphrase for /dev/rootvg01/lv02:
No key available with this passphrase.
Enter passphrase for /dev/rootvg01/lv02:
When prompted I paste in the long numeric string but get the No key available message. However if I use the passphrase specified in the kickstart file or the backup escrow file the disk unlocks.
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow-backup-passphrase
Passphrase:<span class="whitespace other" title="Tab">»</span>QII.q-ImgpN-0oy0Y-RC5qa
Then using the string QII.q-ImgpN-0oy0Y-RC5qa in the crypsetup command works.
Has anyone any idea what I'm missing? Why don't both escrow files work?
I've done some more reading and the file ending in escrow is not an alternative passphrase for the luks volume but it contains the encryption key which is encrypted of course. When decrypted the long string is the encryption key and there's a clue in the rest of the text which I confess I didn't read very well.
I have a beaglebone black board. A host with 64 bit ubuntu14.04
I wanted to transfer uImage file over uart to beaglebone.
So I stopped at u-boot and type
U-Boot# loadb
## Ready for binary (kermit) download to 0x80200000 at 115200 bps...
Now it is waiting for the file. What I have to do in order to send the uImage from pc to board.
After the loadb command prints "Ready for binary download", exit from the terminal(minicom, putty etc). Note down the serial device (eg: /dev/ttyUSB0). Install kermit or its variants (eg: gkermit and ckermit are available in Ubuntu).
Assuming that /dev/ttyUSB0 is your serial device, baudrate is 115200, and no flow control is used, provide the following parameters to kermit
$kermit
kermit> set port /dev/ttyUSB0
kermit> set speed 115200
kermit> set carrier-watch off
kermit> set flow-control none
Now issue the command send , to send the file over serial line:
kermit> send filename
After the file transfer is successful, exit from kermit (use exit command), and re-open minicom. Now you can issue further commands.
NOTE : You can explicitly specify a load address to loadb. If not specified, U-boot takes load address from environment variables.
NOTE-2 : Some terminal programs have built-in facility to send files over serial line using protocols like xmodem or kermit.