Capure communications strings - string

I'm working on a software written by a developer that didn't leave any documentation for the company and I've to understand how a server communicate with a device.
I think it sends it some strings over a socket (to log-in in the device and check some parameters), I've the public IP address of the server and the public IP address of the device.
I'd like to know if there is a way to see what the server 'tells' to this device and vice-versa, I gave a quick look to Wireshark but I can't understand how to use it correctly.

Related

Is there a RIGHT approach for securing data further by doing an IP match?

So here is an approach I was thinking of:
PROBLEM:
- after you have done everything possible to secure your servers and client app. I wanted to add an extra layer to make sure even if a user looses access to their data, they can only really affect their own little space in a shared database. (obvisouly authentications are in place but this is the basis of the authenticatino model)
SOLUTION I HAD IN MIND:
- I wanted to add a "hidden" field that stores users IP addresses.
This means when a user does the normal password and usenrame entry, they also have to verify whether the machine they are using is their own, and thus we store that IP address by taking it from their request.
Later if they need to log in again they can, but if they want to retrieve data, the look up on the router server will recieve the IP from the request, add that onto the message as part of the filter parameters.
Once it queries the database if the combination of IP + data that users wants is found then it sends that back.
If a different IP is detected then no data exists in the server so nothing is sent back. which would initially be done on login and would trigger a mail to the user to verify the machine they are using is trusted.
Is there an easier way? is this overegging?
Thanks,
Alex
Tried ip-request module in Express, works fine, but wanted to know if there was a potential security threat with the way I am using this and it will be implemented before proceding.
First off, an IP address your server sees is often not the actual IP address of the computer the user is on because there is often a NAT device or proxy in between that maps a private network IP address of the user's machine to a public IP address for use on the internet. This would be true whether you were using a computer on your home network, using a computer at work, connected via WiFi at Starbucks, etc...
User Computer (private IP 192.168.1.x) => Gateway (some public IP address) => Your server
If the same computer connected to your server the same way over and over, it "might" be assigned the same public IP address every time it does so. But, in other circumstances it might not.
If the same computer is mobile at all (phone, laptop, tablet) and connects to the internet in different ways (WiFi, cellular), then it may show as a different IP address every time it connects from a different location.
So, in these days of lots of mobile devices and a user that may even access a service from more than one device, an IP address is just NOT a good measure of whether this is a risk or not.
Furthermore, in the case of shared NAT such as a WiFi hotshot or connecting from a corporate network, it's possible for lots of different users to all appear to be coming from the same public IP address.
I would not suggest using IP address at all as any security indicator. You will just get lots of false indicators of an invalid IP address that changed since last access and you may even get false positives where a different user appears on the same IP address as a legit user. In these days of NAT and mobility, there is no one-to-one correspondence between a public IP address and a user. Trying to pretend there is will cause all sorts of problems.

How to get incoming request ip address using .net Core

I deployed my .NET CORE solution in AZURE environment (PAAS).I used following code snippet there to get client's ip address
dtoItem.LogIP = HttpContext.Connection.RemoteIpAddress.ToString();
I used standard .net core libraries and did necessary changes into Startup.cs as well
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
RequireHeaderSymmetry = false,
});
I believe I have implemented everything in correct manner. But still I haven't got accurate client IP address. I am always getting client's public IP instead of his private IP. Since this can be repeated (Same office 2 users have same public IP) I need client's private IP instead of his public IP.
Is it possible to get private IP address in PAAS solution. If it is not possible, is there a way to track client's PC information. (Such as IP Address, MAC address).
Is it possible to get private IP address in PAAS solution?
No it is not possible as shared in this SO post and this answer address this about MACAddress
On the client side javascript, there is no API exposed to get the IPAddress(obviously due to security consideration) .Then you can get the IPAddress on the server side but typically if you are accessing internet from your company,it would go through the corporate proxy and the Ipaddress seen by the server will never be the actual client IP but the proxy server's address. So this is limited on the server side as server only sees the proxy (public IP address).
If it is not possible, is there a way to track client's PC information. (Such as IP Address, MAC address) ?
What you can reliably track is the user agent. Breaking the user agent down, we get the some information about browser ,OS versions. But user agent can easily be spoofed with some browser extension .
If you are looking for browser finger printing or tracking ,have a
look at Panopticlick which shows some more information like
fonts > installed, screen resolution,plugins installed etc to track
any client. fingerprintjs2 javascript library helps to track
using 26 parameters as of today
There is no straight forward answer to this. The thread shared by Rob has some great insights. However, one needs to understand that a lot can happen to the request before it reaches the server. The intermediary networking devices can manipulate the TCP headers so it may not reflect the correct IP Address that you need.
From a solution perspective, this might be perfectly possible, if you develop your own client and log this information somewhere so that you can track it. Otherwise there is no reliable way to get this information.

How to save mac address of computer in an email program?

I want to build a service like gmail or yahoomail.
It will be open for all.
For security purpose i can save the IP address for each action i.e sending mail, reading mail, deleting mail and all other actions.
I also want to save mac address of the computer from which mail is sent and i also want to
save mac address of the computer which is used to read the mail.
I am sure that i can build a program like this , but i have very little knowledge in the area
web security. Please suggest me how can i save mac address. Is it possible or not.
Where can i study about it.
Thank You
The MAC address of the client is part of the layer 2 protocol, and is used for address resolution (ARP) only on the subnet local to the client. Internetworking is done with TCP/IP (layers 3 & 4), which are transparent to layer 2. In other words, the protocols and equipment between your server and your clients make it impossible for your server to learn the MAC of your clients. This is by design.
If you are looking for a unique identifier for your clients, you should adopt the standard methods like cookies, certificates and the like. Both MAC and IP addresses can be spoofed.

get ip address from bssid

I am doing some penetration testing, and im trying to find out, if i can get the IP address of an router if i got the bssid, or any i can get with the AIR tools?
I use Linux Kali with the Air tools atm.
I would say this is pretty damn bad if its possible. Basicly most peopleĀ“s rounters can be reached through their outside IP. Even companies. :O
So far i tried:
- Passive TCPDUMP
- Active scanning
So basicly, is there a way, if so please give me a hint or the answer :-)
I am 100% refering to some sort of scanning. All kind of cracking, bruteforce, password guessing, access stealing is not what im asking about :-)
You can't do that if target access point is protected with WPA/WPA2.
This is why. Getting WiFi to work involves following steps:
Associate with target access point. If access point is using WPA/WPA2 and you don't know the password, then you cannot proceed to further steps, and certainly cannot know anything about IP address of target access point.
After association, your client (which is typically configured to use DHCP) has no IP address assigned (its IP address is 0.0.0.0). Technically, you can use sniffer at this stage to scan the network and find out IP addressed used, but most sniffers don't like to work with 0.0.0.0 address. To proceed further, your client sends DHCP request, which is served by access point. After getting successful DHCP ack with new IP address, client can proceed to next step.
After getting IP address, client can talk to access point and finally knows its IP address (it was served as default router in DHCP ack) - and that would be the answer to your question (yes, that late in the game!). However, even at that point, full network connectivity cannot be assumed. If access point implements captive portal, then your network access may be restricted until you open up web browser and (depending on wireless provider) either accept usage terms, provide some credentials or pay with credit card.
After passing captive portal, it is possible (but not common) that access point automatically re-associates and gives you completely different IP address (and access point also has different IP address now, from completely different subnet). This would mean that IP address you learned in previous steps was completely useless to you in terms of knowing actual network infrastructure.
You would need a Firewalking tool to get past the 0.0.0.0 you would essentially also need a password cracker that attempts different brute forcing to get the matching wep password for example, if there are not max tries it could work.

How to uniquely identify a network?

Let's say I want to make an application where stored data is encrypted so only my application is able to read it.
But I want the application to be accessed only if the user is on a particular network.
For instance the application is an Android app that deals with medical records in a hospital.
How to be sure that the device is connected to the network of the hospital ? The idea is that outside this network, the app won't work.
The question is not particularly related to wireless networks, wireless devices or Android, this is general to programming and network identification.
Could a certificate do that ? I'm new to this.
Does a network "identifier" could be faked ? For instance I'm pretty sure that a WiFi SSID is easy to fake.
Cheers.
More details:
Let's assume that the point of the local data is not for an "offline mode", but to avoid network latency. In that case, the data needs to remain accessible only if connected to a particular network, in case the device is stolen.
But if there is no way to be sure of the network's identity... What about a server that would answer to the question "Heya am I on the right network ?" and if no response comes out I know that I'm not on the right one ? (Or that the server just does not respond...) But, again, if the app is hacked, that can be faked too.
Interesting problem.
Generally speaking the purpose of storing data locally is so that it can be accessed while "offline".
However, I think there may be some underlying misconceptions here. Presumably the only reason you'd want to do this is to try and prevent a stolen device from giving up it's secrets. Fact of the matter is, you can't. If the device is no longer under your physical control then it's just a matter of time before it can be hacked.
If we are talking about sensitive data, it shouldn't be stored on the devices. Instead the device should retrieve the data it needs from your server when it needs it and delete it locally when no longer necessary.
The fact that you want the device to only work when connected to your local network implies that you can accomplish this goal.
As a side note, this is why things such as "remote wipe" exist. It's also why every time the device connects to your network it needs to test it's authentication and authorization. Point is if someone reports the device lost or stolen then you need to be able to ban it from your network AND, if the device supports this, remotely disable it.
Bearing in mind that it is entirely possible to pull a device from the network and therefore disable a remote wipe from executing.
With that out of the way, there is absolutely no way you can ensure the device is on a given network. All of that can be faked. It's kind of trivial to setup a router of a given name and change it's MAC to masquerade as whatever, and assign it certain IP addresses. For all intents and purposes it could be made to look exactly like an access point you have... And that's just with normal run of the mill wireless routers you can buy at your local computer store.
You could write your program so that the key to decrypt the data is stored on a server on the hospital network. If your program never stores the key, it makes it harder (although not impossible) for someone to access the device's data outside of the network.
As Chris pointed out a remote wipe would definitely be desirable. You could put in logic so that if the device ever attempts to read the data while not connected to the network, it wipes the data (this might lead to unintended wipes). Blacklisting is good too, so that if the device tries to reconnect to the network, you can essentially brick it. One thing that would be really bad is if you have a network outage, and all your devices accidentally get wiped.
Any network can duplicate another's SSID, so that's not reliable. You could start using a combination of SSID and a MAC address of a known router, but MAC addresses can be duplicated (although not on the same network) so that doesn't work either.
Frankly, unless the wireless network in question is using certificates to identify devices you're going to have no reliable way do it it, and even then this supposes you have a way in your application to get the certificate used the wifi network returns during network authentication.
Perhaps you could use IPSec tunnels. Many routers and firewalls support IPSec. What I'm thinking is something like this:
-----------------------------------
/ IPSec tunnel \
+---------+ \
A | IPSec | B Untrusted \
trusted network -------| capable |------- Networks ----------- Your application
| router | Internet, etc.
+---------+
The gateway router/firewall that provides access for the trusted network has an IPSec tunnel configured between itself and your application. On both the router and your application server, the tunnel looks like another network interface. A route on the router directs traffic for your application to the tunnel interface. A filter can be used on the router to ensure traffic is forwarded to the tunnel only if it arrives on interface A (i.e. the trusted network). Traffic arriving on interface B destined to your application can just be dropped by a filter on the router since it's obviously going the wrong way.
If your application binds its listening socket to just the tunnel interface, you'll know you're only accepting connections received over the tunnel.
You can use whatever combination of encryption and authentication mechanisms you want to to ensure the traffic is secure. Most IPSec implementations support just about anything you could want.

Resources