Notify me when a socket binds, like inotify does for files - linux

I am interested in finding out when things SSH into my boxen to create a reverse tunnel. Currently I'm using a big hack - just lsof with a few lines of script. So my goal is to see when a socket calls bind() and, ideally, get the port it binds to (it's listening locally since it's a reverse tunnel) and the remote host that I would be connecting to. My lsof hack is basically fine, except I don't get instant notifications and it's rather... hacky :)
This is easy for files; once a file does just about anything, inotify can tell me in Linux. Of course, other OSs have a similar capability.
I'm considering simply tailing the SSHD logs and parsing the output, but my little "tunnel monitor" daemon needs to be able to figure out the state of the tunnels at any point in time, even if it hasn't been running the whole time SSHD has.
I have a pretty evil hack I've been considering as well. It's a script that invokes GDB on /usr/sbin/sshd, then sets a breakpoint on bind. Then it runs it with the options -d -p <listening port> -- Running a separate SSHD for these tunnels is fine. Then it waits for that breakpoint to get hit, and uses GDB's input to get the remote hosts's IP address and the local IP on which SSH is now listening. Again, that's text parsing and opens some other issues.
Is there a "good" way to do this?

I would use SystemTap for a problem like this. You can use it to probe the kernel to see when a bind is done by any process on the system. http://sourceware.org/systemtap/

Related

SSH interception - Linux

Really hoping someone here can point me in the right direction,
Expected result: SSH successfully into a remote device.
Challenge/Back story:
We have devices out in remote places around the country,
These devices do not have a fixed public IP address
(Using GSM as its internet breakout)
These devices are able to SSH and break out.
My thought, with regards to maintaining these devices is to (if possible) use a server in the cloud as a middle man, have these devices create some sort of a reverse tunnel to our middleman server then have us as admins intercept it or something to that effect.
Again to summarize, Device cannot be ssh'd into directly, but can breakout.
Aim to be able to hit their terminal from the office.
have been looking at mitmssh but not coming right on that front.
Server A (no fixed address, cannot SSH into it directly but has breakout)
Server B (standard server which can be used as a middle man
Server C (Us admins)
Tried something along the lines of "ssh user#serverA -R serverB:12345:ServerA:22"
Which creates the tunnel, but struggling with grabbing hold of that SSH connection.
I think I regularly use something very similar. My target machine connects to the machine with a stable address with:
ssh midpoint -R 2022:localhost:22
my ~/.ssh/config file knows the real HostName. My config file on my work machine defines a ProxyCommand option to use this tunnelled TCP connection. like:
Host target
ProxyCommand ssh -q midpoint nc localhost 2022
the reason for using netcat was to get ssh-agent behaving.
I've just been searching around and it seems OpenSSH now has specific handling for this (-W command line option, and JumpHost in the config file). E.g. https://stackoverflow.com/a/29176698/1358308

evilgrade / netcat worked (once) and then never worked again

So in a controlled environment I used evilgrade, a payload I had created, etter, and then netcat to do a mitm to get my target device to install my created payload as an "update" and it worked. I got my target device to successfully do this and so I began writing a python script to automate this process rather than memorize the commands and now it does not work. As stated before everything worked flawlessly the first time through, but after I had established a connection to the target device, I cannot replicate it. I have tried uninstalling/purging all of the applications (except ettercap) and doing a fresh install as well as returning all config files like etter.dns and etter.conf to their defaults before trying to replicate.
The evilgrade CLI shows this:
start
evilgrade>
[3/5/2017:9:40:33] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[3/5/2017:9:40:33] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
evilgrade>
The netcat CLI shows this:
root#oxYMmCIZ:~# nc -l -p 444 -v
Listening on [0.0.0.0] (family 0, port 444)
The first time netcat ran I saw what looked like something encrypted going across the CLI (I assume showing that traffic was indeed coming through) but I did not use -v that time so I did not see anything but the squares.
This is my first questions here and I feel like I should state that I am self taught so if I misuse any terms feel free to let me know. I know how to make stuff work, not explain it by the books' terms :)

Using the least resources possible, what would be the best way to simulate a hung web application?

I want to create a page that simulates a hung/frozen web page. For example, I could use a really long "sleep" in PHP. But if I wanted to make this a public tool, I could well imagine this might eat up server resource (sockets, memory, etc - I'm not that experienced at this level of abstraction) and eventually cause real problems for the server.
I don't want to simply close the socket with the client, because that would not provide the type of "waiting" behavior I want to simulate.
The solution doesn't have to be PHP related. That was just an example. It can be any language and/or web server. The only criteria is FOSS on Linux.
You can simply use netcat to listen on a port and return nothing.
nc -l localhost 8080
Or if you wanted it to continue listening when the client has closed the connection
while (TRUE); do nc -l localhost 8080; done
edit: some versions of nc have the -k option to force netcat to continue listening after the socket is closed. In those cases you don't need to loop.

linux command to connect to another server using hostname and port number

what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAILĀ FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.

socket bind return error 63

When I try to bind a socket using linux bind call. it return error 63 (Out of streams resources). I tried to explore (using google) why this error is coming and how to reproduce it but I had no luck. This problem is happening at one of the setup where I do not have direct access. I want to understand why this error is coming and want to recreate the problem. I am using Opensuse linux.
Any help would be really appreciable.
Error 0x63 is EADDRNOTAVAIL, which means you're trying to bind to an address that's already in use. Make sure you are not already running an instance of your program (which would have bound the port), and that there's not something else using the port.
The command
netstat -nat
will tell you if the port is in use. If you have root access you can add an option (-p on linux) that will also tell you which process has the port open.
There's also the lsof and/or fuser commands (depending on your flavor of Linux/Unix) to list open file handles and the owning processes. These also require root or sudo access.

Resources