To All,
I am writing a service running HTTPS protocol that accept secure connection using Openssl.
After that, I tested SSL connection using nmap with the following command:
nmap --script ssl-enum-ciphers -p 443 192.168.2.1
Nmap scan report for 192.168.2.1
Host is up (0.0029s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
However, if the the argument -sV is added, then it displays following
nmap --script ssl-enum-ciphers -sV -p 443 192.168.2.1
Starting Nmap 7.01 ( https://nmap.org ) at 2021-05-25 09:15 CST
Nmap scan report for 192.168.2.1
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds
the -sV is used to probe service/version info, I am wondering is it because I am using ECHDE only?
Anyway, here's how I setup my SSL connection (Remove error checking for easy reading).
SSL_library_init();
SSL_load_error_strings();
CTX = SSL_CTX_new(TLSv1_2_server_method());
SL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384");
SSL_CTX_ctrl((CTX),SSL_CTRL_SET_ECDH_AUTO,1,NULL);
SSL_CTX_use_certificate_file(CTX, pem, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(CTX, pem, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(CTX, chain);
I am suspecting the ciphers ECDHE, because if I use Cipher list "AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384", everything seems to work fine.
Any help is appreciated, thanks.
Related
I'm trying to leverage my existing (fully configured and working) Samba AD DC as authentication for XWiki, and other apps.
As such, I'm first trying to do a successful ldapsearch from the XWiki server.
The following command works on the Samba server, but not on the XWiki client:
ubuntu#xwiki:~$ ldapsearch -x -LLL -E pr=200/noprompt -H ldaps://10.0.1.191/ -D "CN=Administrator,CN=Users,DC=ad,DC=nitssolutions,DC=com" -w 'SambaNovi2018' -b 'DC=ad,DC=nitssolutions,DC=com' -s sub '(sAMAccountName=*)' cn mail memberOf
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
However, if I do:
ping 10.0.1.191
I get:
ubuntu#xwiki:~$ ping 10.0.1.191
PING 10.0.1.191 (10.0.1.191) 56(84) bytes of data.
64 bytes from 10.0.1.191: icmp_seq=1 ttl=64 time=135 ms
64 bytes from 10.0.1.191: icmp_seq=2 ttl=64 time=138 ms
64 bytes from 10.0.1.191: icmp_seq=3 ttl=64 time=146 ms
^C
--- 10.0.1.191 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 135.741/140.317/146.970/4.832 ms
and if I do:
telnet 10.0.1.191 636
I'm able to connect.
EDIT: Additional information:
I added a -d 1 to the ldapsearch command line, and now I get:
ubuntu#xwiki:~$ ldapsearch -d 1 -x -LLL -E pr=200/noprompt -H ldaps://10.0.1.191/ -D "CN=Administrator,CN=Users,DC=ad,DC=nitssolutions,DC=com" -w 'SambaNovi2018' -b 'DC=ad,DC=nitssolutions,DC=com' -s sub '(sAMAccountName=*)' cn mail memberOf
ldap_url_parse_ext(ldaps://10.0.1.191/)
ldap_create
ldap_url_parse_ext(ldaps://10.0.1.191:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.0.1.191:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.1.191:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Note, in particular, this line:
TLS: peer cert untrusted or revoked (0x42)
I'm going to try researching this error further, but as of now, I'm still stuck...
EDIT2: Still more additional information:
When I run this command, with the -d 1 parameter on the Samba server, the command works, in spite of having the:
TLS: peer cert untrusted or revoked (0x42)
in the debug output....
Continuing to dig....
Help?
And here I go, answering my own question again...sigh. I should post here more often. Helps me clearly lay out the problem, which inevitably leads to finding a solution.
Anyhow, the solution was:
I had a file, /etc/ldap/ldap.conf on my sambadc machine as well as my xwiki client machine, but the content differed.
The sambadc machine had:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
Which worked.
But, my xwiki machine had:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
which failed.
When I commented out the TLS_CACERT line, and added the TLS_REQCERT line, it all started working as expected.
I get a port after seeing the $DISPLAY environment variable, and need to check if the vnc on which the current program is run is connected or not.
❯ netstat -an --tcp | grep 5902
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN
The above is a netstat output.
On tcp connection established for the port, the following is the output:
$ netstat -an --tcp | grep 5902
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN
tcp 0 0 172.16.100.219:5902 172.16.100.129:35542 ESTABLISHED
One can call netstat from within C/c++ code something like
port = process_display(std::getenv("DISPLAY"))
is_connected = call_this("netstat -anp | grep <porttocheck> | grep ESTABLISHED | wc -l");
I need the is_connected and do some logic.
However, this relies on variety of factors, if the program is going to run on different machines, I would rather not rely on calling netstat from code.
Is there a better way to check if a port has a established TCP connection, from C code? Parsing /proc/ or something similar also looks very unweildy.
I am ok for a linux only solution.
I think you can create a socket with the port which you want the status of it. If socket successfully created it means that the port was closed otherwise it is open. like this
I have a router with nat port forwarding configured. I launched a http copy of big file via the nat. The http server is hosted on the LAN PC which contains the big file to download. I launched the file download from WAN PC.
I disabled the nat rule when file copy is running. the copy of file keep remaining. I want to stop the copy of file when I disable the nat forward rule with conntrack-tool.
my conntrack list contains the following conntrack session
# conntrack -L | grep "33.13"
tcp 6 431988 ESTABLISHED src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 [ASSURED] use=1
I tried to remove it with the following command:
# conntrack -D --orig-src 192.168.33.13
tcp 6 431982 ESTABLISHED src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 [ASSURED] use=1
conntrack v1.4.3 (conntrack-tools): 1 flow entries have been deleted.
the conntrack session is removed I can see in the following command. But another conntrack session was created with src ip address is the lan address of the removed conntrack
# conntrack -L | grep "33.13"
tcp 6 431993 ESTABLISHED src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 [ASSURED] use=1
conntrack v1.4.3 (conntrack-tools): 57 flow entries have been shown.
I tried to remove the new conntrack but it keep remaining
# conntrack -D --orig-src 192.168.3.17
# conntrack -L | grep "33.13"
conntrack v1.4.3 (conntrack-tools): 11 flow entries have been shown.
tcp 6 431981 ESTABLISHED src=192.168.3.17 dst=192.168.33.13 sport=80 dport=52722 src=192.168.33.13 dst=192.168.33.215 sport=52722 dport=80 [ASSURED] use=1
What I m missing?
first, if "conntrack -D" command succeed, you can see below Messsage.
conntrack v1.4.4 (conntrack-tools): 1 flow entries have been deleted.
So we guess that track deleltion working was failed.
Why do not conntrack delete track?
Perhaps you are referencing a session you want to delete from a specific skb or track.
if you want to get detail infomation, you try to follow "ctnetlink_del_conntrack " call stack funcion in linux kernel.
How can I find all hosts that are up, and display only
Nman scan report for xxxx.xxxx.xxxx (ip address)
Host is up(latency)
MAC Address -mac adress-(company)
Assuming your targets are directly connected:
nmap -n -sn <targets>
(no rDNS, ping scan)
I have a project I'm working on, where a piece of Hardware is producing output that is continuously being written into a textfile.
What I need to do is to stream that file as it's being written over a simple tcp/ip connection.
I'm currently trying to that through simple netcat, but netcat only sends the part of the file that is written at the time of execution. It doesn't continue to send the rest.
Right now I have a server listening to netcat on port 9000 (simply for test-purposes):
netcat -l 9000
And the send command is:
netcat localhost 9000 < c:\OUTPUTFILE
So in my understanding netcat should actually be streaming the file, but it simply stops once everything that existed at the beginning of the execution has been sent. It doesn't kill the connection, but simply stops sending new data.
How do I get it to stream the data continuously?
Try:
tail -F /path/to/file | netcat localhost 9000
try:
tail /var/log/mail.log -f | nc -C xxx.xxx.xxx.xxx 9000
try nc:
# tail for get last text from file, then find the lines that has TEXT and then stream
# see documentation for nc, -l means create server, -k means not close when client disconnect, waits for anothers clients
tail -f /output.log | grep "TEXT" | nc -l -k 2000