From owner-freebsd-security@FreeBSD.ORG Mon Nov 19 10:01:25 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 921CD16A421 for ; Mon, 19 Nov 2007 10:01:25 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 2529113C44B for ; Mon, 19 Nov 2007 10:01:25 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id 4CB403F1F; Mon, 19 Nov 2007 10:38:29 +0100 (CET) Date: Mon, 19 Nov 2007 10:38:29 +0100 From: VANHULLEBUS Yvan To: john decot Message-ID: <20071119093829.GA22050@zen.inc> References: <20071116093123.GC76465@e.0x20.net> <899269.18771.qm@web55403.mail.re4.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <899269.18771.qm@web55403.mail.re4.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 10:01:25 -0000 On Sat, Nov 17, 2007 at 01:06:32AM -0800, john decot wrote: > Hi , Hi. > As per suggestion, The following are the logs generated by racoon : > [....] > 2007-11-17 13:46:22: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY > 2007-11-17 13:46:22: INFO: received Vendor ID: FRAGMENTATION > 2007-11-17 13:46:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Some people should learn that an RFC has been published for NAT-T :-) [....] > 2007-11-17 13:46:22: DEBUG: Compared: DB:Peer > 2007-11-17 13:46:22: DEBUG: (lifetime = 1800:28800) > 2007-11-17 13:46:22: DEBUG: (lifebyte = 0:0) > 2007-11-17 13:46:22: DEBUG: enctype = 3DES-CBC:3DES-CBC > 2007-11-17 13:46:22: DEBUG: (encklen = 0:0) > 2007-11-17 13:46:22: DEBUG: hashtype = SHA:SHA > 2007-11-17 13:46:22: DEBUG: authmethod = RSA signatures:RSA signatures > 2007-11-17 13:46:22: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group > 2007-11-17 13:46:22: DEBUG: an acceptable proposal found. > 2007-11-17 13:46:22: DEBUG: hmac(modp1024) Ok, your racoon found "an acceptable proposal", even if DB's lifetime is really shorter than peer's one. That means you're in CLAIN or OBEY checkmode. Those modes are well known to generate as much problems as they solve, you should really consider using exact or at least strict checkmode, and fix your lifetime in your configuration (on the side you want, but have the same lifetime on both peers). [....] > 2007-11-17 13:46:22: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] [....] > 2007-11-17 13:46:22: ERROR: ignore information because ISAKMP-SA has not been established yet. May be an INITIAL-CONTACT sent a bit too early, or may also be a negociation related INFORMATIONAL message. Could you do a network capture of a negociation, and have a look at that message in a tool like wireshark, to have more details ? [....] > 2007-11-17 13:46:32: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:42: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:52: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:02: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:12: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 > 2007-11-17 13:47:22: ERROR: phase1 negotiation failed due to time up. a40e0e86c6a792cc:082dacfe812390c3 Really looks like the peer did not like the answer we sent, so did not respond to it (or sent an informational which has not been handled). Fix your lifetimes, switch to strict checkmode, fix any other negociation parameter which may generate an error now you're in strict checkmode, and if that still don't work, have a look at the INFORMATIONAL message sent by your peer, and/or have a look at any log on your peer. Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Mon Nov 19 17:47:14 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C086A16A417 for ; Mon, 19 Nov 2007 17:47:14 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id 7939613C47E for ; Mon, 19 Nov 2007 17:47:14 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.1/8.13.8) with ESMTP id lAJGh4Vd004224 for ; Mon, 19 Nov 2007 11:43:04 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id lAJGh3jb027972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 19 Nov 2007 11:43:03 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200711191643.lAJGh3jb027972@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 19 Nov 2007 11:43:13 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: testing wireless security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 17:47:14 -0000 I have been playing around with 3 ath based FreeBSD boxes and seem to have got everything going via WPA and a common PSK for 802.11x auth. However, I want to have a bit more certainty about things working properly. What tools do people recommend for sniffing and checking a wireless network ? In terms of IDS, is there any way to see if people are trying to bruteforce the network ? I see hostap has nice logging, but anything beyond that ? e.g. with a bad psk on the client hostapd: ath0: STA 00:0b:6b:2b:bb:69 IEEE 802.1X: unauthorizing port is there a way to black list MAC addresses, or just allow certain ones from even trying ? IPSEC will be running on top, but I still want a decent level of security on the transport layer. On the client I have % cat /etc/wpa_supplicant.conf network={ ssid="testnet1" # psk="xxx" } % ifconfig ath0 ath0: flags=8843 mtu 1500 inet 2.2.2.9 netmask 0xffffff00 broadcast 2.2.2.255 ether 00:0b:6b:2b:bb:69 media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/48Mbps) status: associated ssid mike1 channel 1 bssid 00:0b:6b:84:3e:76 authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpowmax 49 bmiss 7 protmode CTS burst roaming MANUAL bintval 100 and the host % ifconfig ath0 ath0: flags=8843 mtu 2290 inet 2.2.2.1 netmask 0xffffff00 broadcast 2.2.2.255 ether 00:0b:6b:84:3e:76 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated ssid mike1 channel 1 bssid 00:0b:6b:84:3e:76 authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit txpowmax 39 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100 % cat /etc/hostapd.conf interface=ath0 driver=bsd logger_syslog=-1 logger_syslog_level=0 logger_stdout=-1 logger_stdout_level=0 debug=3 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=testnet1 macaddr_acl=0 auth_algs=1 #### IEEE 802.1X related config #### ieee8021x=0 #### WPA/IEEE 802.11i config ##### wpa=1 wpa_passphrase=xxx wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Nov 19 19:48:23 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE13B16A494 for ; Mon, 19 Nov 2007 19:48:23 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id 86FF613C461 for ; Mon, 19 Nov 2007 19:48:23 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 4A88E795D; Mon, 19 Nov 2007 13:21:45 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id D2E5510AA88D; Mon, 19 Nov 2007 13:21:43 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Mon, 19 Nov 2007 13:21:23 -0600 User-Agent: KMail/1.9.7 References: <200711191643.lAJGh3jb027972@lava.sentex.ca> In-Reply-To: <200711191643.lAJGh3jb027972@lava.sentex.ca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1646672.SW4L4AS4xq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711191321.44398.josh@tcbug.org> Cc: Subject: Re: testing wireless security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 19:48:23 -0000 --nextPart1646672.SW4L4AS4xq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 19 November 2007 10:43:13 am Mike Tancsa wrote: > I have been playing around with 3 ath based FreeBSD boxes and seem to > have got everything going via WPA and a common PSK for 802.11x > auth. However, I want to have a bit more certainty about things > working properly. > > What tools do people recommend for sniffing and checking a wireless netwo= rk > ? > > In terms of IDS, is there any way to see if people are trying to > bruteforce the network ? I see hostap has nice logging, but anything > beyond that ? > > e.g. with a bad psk on the client > hostapd: ath0: STA 00:0b:6b:2b:bb:69 IEEE 802.1X: unauthorizing port > > is there a way to black list MAC addresses, or just allow certain > ones from even trying ? IPSEC will be running on top, but I still > want a decent level of security on the transport layer. > When I looked in to this it seemed that the current state of affairs is tha= t=20 WPA can only be broken by brute-forcing the key. I don't recall if that=20 could be done 'off-line' or not. My memory is that the needed info to=20 attempt bruteforcing could be done by simply receiving....no need to attemp= t=20 to associate to the AP was needed. I'm not really interested in=20 disseminating links to tools that can be used to break wireless security, b= ut=20 simple google searches will give you the info you need.....and the tools ar= e=20 in the ports tree for the most part. =46ortunately WPA allows keys that put even resource-rich attackers in to t= he=20 decade range to bruteforce. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart1646672.SW4L4AS4xq Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHQeJIJvkB8SevrssRAoxDAJ0ZoFYLd5Ihi5l+5hacGp6kbAgq2wCdHIZl RNQnG9mWd1F81lNxrp4zfxI= =1vEg -----END PGP SIGNATURE----- --nextPart1646672.SW4L4AS4xq-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 00:06:46 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB5D616A419 for ; Tue, 20 Nov 2007 00:06:46 +0000 (UTC) (envelope-from mark@foster.cc) Received: from QMTA01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [76.96.30.16]) by mx1.freebsd.org (Postfix) with ESMTP id 8528C13C459 for ; Tue, 20 Nov 2007 00:06:46 +0000 (UTC) (envelope-from mark@foster.cc) Received: from OMTA01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by QMTA01.emeryville.ca.mail.comcast.net with comcast id EmtE1Y00G0EPcho0A04U00; Mon, 19 Nov 2007 23:55:21 +0000 Received: from fosgate.dyndns.org ([24.17.77.253]) by OMTA01.emeryville.ca.mail.comcast.net with comcast id EnvL1Y0015TuUQw0800000; Mon, 19 Nov 2007 23:55:21 +0000 X-Authority-Analysis: v=1.0 c=1 a=1EcHIz18t7c1Zh8iyhEYvA==:17 a=q56oFxeYAAAA:8 a=81ABGVOTAAAA:8 a=fieXMSc2SEdsGeN0h04A:9 a=C172wRowgqTXtVzGuqThZfstn2MA:4 a=zUBsD6tbDSsA:10 Received: from localhost (localhost [127.0.0.1]) by fosgate.dyndns.org (Postfix) with ESMTP id 219A03982B; Mon, 19 Nov 2007 15:50:56 -0800 (PST) X-Virus-Scanned: amavisd-new at foster.cc Received: from fosgate.dyndns.org ([127.0.0.1]) by localhost (sonar.foster.dmz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFscm2WWSb0z; Mon, 19 Nov 2007 15:50:48 -0800 (PST) Received: from [10.1.253.50] (fis-gw1.portseattle.org [198.134.96.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by fosgate.dyndns.org (Postfix) with ESMTP id 7126639825; Mon, 19 Nov 2007 15:50:48 -0800 (PST) Message-ID: <4742225B.6020107@foster.cc> Date: Mon, 19 Nov 2007 15:55:07 -0800 From: "Mark D. Foster" User-Agent: Thunderbird 1.5.0.14pre (X11/20071023) MIME-Version: 1.0 To: Josh Paetzel References: <200711191643.lAJGh3jb027972@lava.sentex.ca> <200711191321.44398.josh@tcbug.org> In-Reply-To: <200711191321.44398.josh@tcbug.org> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: testing wireless security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 00:06:46 -0000 Josh Paetzel wrote: > When I looked in to this it seemed that the current state of affairs is that > WPA can only be broken by brute-forcing the key. I don't recall if that > could be done 'off-line' or not. My memory is that the needed info to > attempt bruteforcing could be done by simply receiving....no need to attempt > to associate to the AP was needed. I'm not really interested in > disseminating links to tools that can be used to break wireless security, but > simple google searches will give you the info you need.....and the tools are > in the ports tree for the most part. > > Fortunately WPA allows keys that put even resource-rich attackers in to the > decade range to bruteforce. > That would not appear to be a limitation of aircrack-ng http://www.freshports.org/net-mgmt/aircrack-ng/ aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover this keys once enough encrypted packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact aircrack is a set of tools for auditing wireless networks. That said, I haven't (yet) tried it myself ;) -- Said one park ranger, 'There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.' Mark D. Foster, CISSP http://mark.foster.cc/ From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 10:57:18 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 615B316A420 for ; Tue, 20 Nov 2007 10:57:18 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55401.mail.re4.yahoo.com (web55401.mail.re4.yahoo.com [206.190.58.195]) by mx1.freebsd.org (Postfix) with SMTP id 2B2C713C4CC for ; Tue, 20 Nov 2007 10:57:17 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 27550 invoked by uid 60001); 20 Nov 2007 10:57:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=tkZn/YPs+7RQYcBJjFwgYTfxE9414C6g8ov+JeTxjEdSLu2zA4i36BsEObeMs/YGa/nlMR3mz479bBdTR0MPjwKCp438qmqcnq5XjSaMvxzVRN8spCJ0/Eq1sxZ7JzUrTTCMLvaNVDhjApLvv/BGoJ1YtfPRhwRjedZsLgW5YK4=; X-YMail-OSG: Uew_llQVM1mVHSipdxpXZxslBGXHzCcGOD_HOG9q5ZRmt5Cs_ICu72EQltGJ9hArSWsXxrgzdUzq3aFvzhQtf0e3zuHQQ.Sc.CnFqXPj8xyz0_e5aI7yTVFyE2rwxMHFEKIBr_KWLnuBOCU- Received: from [63.219.0.15] by web55401.mail.re4.yahoo.com via HTTP; Tue, 20 Nov 2007 02:57:17 PST Date: Tue, 20 Nov 2007 02:57:17 -0800 (PST) From: john decot To: VANHULLEBUS Yvan In-Reply-To: <20071119093829.GA22050@zen.inc> MIME-Version: 1.0 Message-ID: <216526.27461.qm@web55401.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 10:57:18 -0000 Hi, I have checked with different mode that obey and found error no valid proposal and again i change lifetime too in bsd server. But I can't found where should i have to change those parameter in remote windows ipsec box. Could you please suggest me. Thankyou, Regards, John VANHULLEBUS Yvan wrote: On Sat, Nov 17, 2007 at 01:06:32AM -0800, john decot wrote: > Hi , Hi. > As per suggestion, The following are the logs generated by racoon : > [....] > 2007-11-17 13:46:22: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY > 2007-11-17 13:46:22: INFO: received Vendor ID: FRAGMENTATION > 2007-11-17 13:46:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Some people should learn that an RFC has been published for NAT-T :-) [....] > 2007-11-17 13:46:22: DEBUG: Compared: DB:Peer > 2007-11-17 13:46:22: DEBUG: (lifetime = 1800:28800) > 2007-11-17 13:46:22: DEBUG: (lifebyte = 0:0) > 2007-11-17 13:46:22: DEBUG: enctype = 3DES-CBC:3DES-CBC > 2007-11-17 13:46:22: DEBUG: (encklen = 0:0) > 2007-11-17 13:46:22: DEBUG: hashtype = SHA:SHA > 2007-11-17 13:46:22: DEBUG: authmethod = RSA signatures:RSA signatures > 2007-11-17 13:46:22: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group > 2007-11-17 13:46:22: DEBUG: an acceptable proposal found. > 2007-11-17 13:46:22: DEBUG: hmac(modp1024) Ok, your racoon found "an acceptable proposal", even if DB's lifetime is really shorter than peer's one. That means you're in CLAIN or OBEY checkmode. Those modes are well known to generate as much problems as they solve, you should really consider using exact or at least strict checkmode, and fix your lifetime in your configuration (on the side you want, but have the same lifetime on both peers). [....] > 2007-11-17 13:46:22: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] [....] > 2007-11-17 13:46:22: ERROR: ignore information because ISAKMP-SA has not been established yet. May be an INITIAL-CONTACT sent a bit too early, or may also be a negociation related INFORMATIONAL message. Could you do a network capture of a negociation, and have a look at that message in a tool like wireshark, to have more details ? [....] > 2007-11-17 13:46:32: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:42: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:46:52: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:02: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 [....] > 2007-11-17 13:47:12: DEBUG: resend phase1 packet a40e0e86c6a792cc:082dacfe812390c3 > 2007-11-17 13:47:22: ERROR: phase1 negotiation failed due to time up. a40e0e86c6a792cc:082dacfe812390c3 Really looks like the peer did not like the answer we sent, so did not respond to it (or sent an informational which has not been handled). Fix your lifetimes, switch to strict checkmode, fix any other negociation parameter which may generate an error now you're in strict checkmode, and if that still don't work, have a look at the INFORMATIONAL message sent by your peer, and/or have a look at any log on your peer. Yvan. -- NETASQ http://www.netasq.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage. From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 11:08:33 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD85B16A41B for ; Tue, 20 Nov 2007 11:08:33 +0000 (UTC) (envelope-from bj@0x20.net) Received: from mail.0x20.net (mail.ipv6.0x20.net [IPv6:2001:aa8:fffb::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4F61F13C459 for ; Tue, 20 Nov 2007 11:08:33 +0000 (UTC) (envelope-from bj@0x20.net) Received: by mail.0x20.net (Postfix, from userid 1001) id A2EB93A590; Tue, 20 Nov 2007 12:08:31 +0100 (CET) Date: Tue, 20 Nov 2007 12:08:31 +0100 From: Bjoern Engels To: john decot Message-ID: <20071120110831.GB90344@e.0x20.net> References: <20071119093829.GA22050@zen.inc> <216526.27461.qm@web55401.mail.re4.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <216526.27461.qm@web55401.mail.re4.yahoo.com> X-PGP-KeyID: FB601479 User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 11:08:33 -0000 On Tue, Nov 20, 2007 at 02:57:17AM -0800, john decot wrote: > Hi, > > I have checked with different mode that obey and found error no valid proposal and again i change lifetime too in bsd server. But I can't found where should i have to change those parameter in remote windows ipsec box. > > Could you please suggest me. [...] > 2007-11-17 13:46:22: DEBUG: Compared: DB:Peer > 2007-11-17 13:46:22: DEBUG: (lifetime = 1800:28800) I suggest you change the lifetime in racoon's config to 28800 seconds if you cannot change it at the peer. Aonther thing I'd check is encryption/hash algorithms. You'll probably have the best compatibility if you change everything to 3DES-MD5. -- Viele Gruesse // Best regards Bjoern Engels :wq! From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 12:34:20 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD31016A507 for ; Tue, 20 Nov 2007 12:34:20 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 993A613C45D for ; Tue, 20 Nov 2007 12:34:20 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id 9EDD53F1F; Tue, 20 Nov 2007 13:34:18 +0100 (CET) Date: Tue, 20 Nov 2007 13:34:18 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20071120123418.GA32444@zen.inc> References: <20071119093829.GA22050@zen.inc> <216526.27461.qm@web55401.mail.re4.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <216526.27461.qm@web55401.mail.re4.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 12:34:20 -0000 On Tue, Nov 20, 2007 at 02:57:17AM -0800, john decot wrote: > Hi, > > I have checked with different mode that obey and found error > no valid proposal and again i change lifetime too in bsd > server. But I can't found where should i have to change those > parameter in remote windows ipsec box. You shouldn't have to change setup on both ends: you can just changes values on one end (the BSD server) to match values of the other end. Acoording to the quick look I had at your previous dump and to my memory (ok, so that's probably not exact :-), you should just have to change lifetime to 28800 sec in remote section. Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 13:57:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A185016A418 for ; Tue, 20 Nov 2007 13:57:04 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6421813C469 for ; Tue, 20 Nov 2007 13:57:04 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 96BE57A6C; Tue, 20 Nov 2007 07:56:43 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id 2E18D10AA863; Tue, 20 Nov 2007 07:56:42 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 20 Nov 2007 07:56:38 -0600 User-Agent: KMail/1.9.7 References: <200711191643.lAJGh3jb027972@lava.sentex.ca> <200711191321.44398.josh@tcbug.org> <4742225B.6020107@foster.cc> In-Reply-To: <4742225B.6020107@foster.cc> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13195010.E1FQb4yoQL"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711200756.42344.josh@tcbug.org> Cc: "Mark D. Foster" Subject: Re: testing wireless security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 13:57:04 -0000 --nextPart13195010.E1FQb4yoQL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 19 November 2007 05:55:07 pm Mark D. Foster wrote: > Josh Paetzel wrote: > > When I looked in to this it seemed that the current state of affairs is > > that WPA can only be broken by brute-forcing the key. I don't recall if > > that could be done 'off-line' or not. My memory is that the needed info > > to attempt bruteforcing could be done by simply receiving....no need to > > attempt to associate to the AP was needed. I'm not really interested = in > > disseminating links to tools that can be used to break wireless securit= y, > > but simple google searches will give you the info you need.....and the > > tools are in the ports tree for the most part. > > > > Fortunately WPA allows keys that put even resource-rich attackers in to > > the decade range to bruteforce. > > That would not appear to be a limitation of aircrack-ng > http://www.freshports.org/net-mgmt/aircrack-ng/ > > aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can > recover this keys once enough encrypted packets have been captured. > It implements the standard FMS attack along with some optimizations > like KoreK attacks, thus making the attack much faster compared to > other WEP cracking tools. In fact aircrack is a set of tools for > auditing wireless networks. > > That said, I haven't (yet) tried it myself ;) Well, if you were to read your own link for a bit you'd eventually find... http://www.aircrack-ng.org/doku.php?id=3Dcracking_wpa Quoting from the page.... WPA/WPA2 supports many types of authentication beyond pre-shared keys.=20 aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows= =20 the network as having the authentication type of PSK, otherwise, don't both= er=20 trying to crack it. There is another important difference between cracking WPA/WPA2 and WEP. Th= is=20 is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, wher= e=20 statistical methods can be used to speed up the cracking process, only plai= n=20 brute force techniques can be used against WPA/WPA2. That is, because the k= ey=20 is not static, so collecting IVs like when cracking WEP encryption, does no= t=20 speed up the attack. The only thing that does give the information to start= =20 an attack is the handshake between client and AP. Handshaking is done when= =20 the client connects to the network. Although not absolutely true, for the=20 purposes of this tutorial, consider it true. Since the pre-shared key can b= e=20 from 8 to 63 characters in length, it effectively becomes impossible to cra= ck=20 the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary wor= d=20 or relatively short in length. Conversely, if you want to have an unbreakab= le=20 wireless network at home, use WPA/WPA2 and a 63 character password composed= =20 of random characters including special symbols. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart13195010.E1FQb4yoQL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHQueaJvkB8SevrssRAkHVAKCZUK3FVIoZOgmQUSvgC/XA/jgL9wCgkkuL Q3gFjNU5UNSH9bIRiys9Cfo= =arkb -----END PGP SIGNATURE----- --nextPart13195010.E1FQb4yoQL-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 14:54:09 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2921B16A421 for ; Tue, 20 Nov 2007 14:54:09 +0000 (UTC) (envelope-from johnpollock@bellsouth.net) Received: from fmailhost03.isp.att.net (fmailhost03.isp.att.net [204.127.217.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2998E13C474 for ; Tue, 20 Nov 2007 14:54:09 +0000 (UTC) (envelope-from johnpollock@bellsouth.net) Received: from rarepenguin.org ([65.13.22.129]) by bellsouth.net (frfwmhc03) with ESMTP id <20071120144154H0300m6ag5e>; Tue, 20 Nov 2007 14:41:54 +0000 X-Originating-IP: [65.13.22.129] From: JP To: freebsd-security@freebsd.org Date: Tue, 20 Nov 2007 09:41:52 -0500 User-Agent: KMail/1.8.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200711200941.52719.johnpollock@bellsouth.net> Subject: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 14:54:09 -0000 Running freeBSD 6.1 After changing chkrootkit to the latest version V. 0.47 and compiling it then running it I get the following: ================================== Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 6667) Checking `lkm'... You have 131 process hidden for readdir command chkproc: Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... vr0 is not promisc Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted ================================== Looking above, the above shows a few anomalies like the bindshell ... INFECTED (PORTS: 6667) --and-- Checking `lkm'... You have 131 process hidden for readdir command chkproc: Warning: Possible LKM Trojan installed I do run an IRCd, and also YABB Message board along with APACHE web server - would the above then be normal output, and what about the lkm? Many thanks to those with more experience in this area. JP From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 16:46:36 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C32016A419 for ; Tue, 20 Nov 2007 16:46:36 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55414.mail.re4.yahoo.com (web55414.mail.re4.yahoo.com [206.190.58.208]) by mx1.freebsd.org (Postfix) with SMTP id 3469013C474 for ; Tue, 20 Nov 2007 16:46:35 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 77807 invoked by uid 60001); 20 Nov 2007 16:46:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=ZFeimzZt2IfaUhXEI2oHdNJXc+f7f8I2RLdN1iJPsiyeLwdzzAVrv78n/18McISLJM5o4+KkEvpXMByLgMgpQ24O+44/E9HQNluVsZpyv3VxR+FdDhwr5lMoKgUYkDniSkR8wL7TBfyUYSoJgiryjzefEhcJ+bV9FOXJydo1D6M=; X-YMail-OSG: 0kiM77YVM1kWUJtmapPTI4fC_vZEON43TkSv08Jw Received: from [63.219.0.15] by web55414.mail.re4.yahoo.com via HTTP; Tue, 20 Nov 2007 08:46:28 PST Date: Tue, 20 Nov 2007 08:46:28 -0800 (PST) From: john decot To: VANHULLEBUS Yvan , freebsd-security@freebsd.org In-Reply-To: <20071120123418.GA32444@zen.inc> MIME-Version: 1.0 Message-ID: <465714.76277.qm@web55414.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 16:46:36 -0000 Hi, I have change life time in both side i.e 28800 sec but unlucky again. the following is the logs after change lifetime. comparision of lifetime is now 28800:28800 2007-11-20 20:27:12: DEBUG2: lifetime = 28800 2007-11-20 20:27:12: DEBUG2: lifebyte = 0 2007-11-20 20:27:12: DEBUG2: encklen=0 2007-11-20 20:27:12: DEBUG2: p:1 t:1 2007-11-20 20:27:12: DEBUG2: 3DES-CBC(5) 2007-11-20 20:27:12: DEBUG2: SHA(2) 2007-11-20 20:27:12: DEBUG2: 1024-bit MODP group(2) 2007-11-20 20:27:12: DEBUG2: RSA signatures(3) 2007-11-20 20:27:12: DEBUG2: 2007-11-20 20:27:12: DEBUG: hmac(modp1024) 2007-11-20 20:27:12: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2007-11-20 20:27:12: DEBUG2: parse successed. 2007-11-20 20:27:12: DEBUG: my interface: 202.70.87.123 (lnc0) 2007-11-20 20:27:12: DEBUG: my interface: fe80::1%lo0 (lo0) 2007-11-20 20:27:12: DEBUG: my interface: ::1 (lo0) 2007-11-20 20:27:12: DEBUG: my interface: 127.0.0.1 (lo0) 2007-11-20 20:27:12: DEBUG: configuring default isakmp port. 2007-11-20 20:27:12: DEBUG: 4 addrs are configured successfully 2007-11-20 20:27:12: INFO: 127.0.0.1[500] used as isakmp port (fd=4) 2007-11-20 20:27:12: INFO: ::1[500] used as isakmp port (fd=5) 2007-11-20 20:27:12: INFO: fe80::1%lo0[500] used as isakmp port (fd=6) 2007-11-20 20:27:12: INFO: 202.70.87.123[500] used as isakmp port (fd=7) 2007-11-20 20:27:12: DEBUG: get pfkey X_SPDDUMP message 2007-11-20 20:27:12: DEBUG2: 02120000 17000100 01000000 ce020000 03000500 ff200000 10020000 cb5b82ad 00000000 00000000 03000600 ff200000 10020000 ca46577b 00000000 00000000 07001200 02000100 04400000 00000000 28003200 02020000 10020000 cb5b82ad 00000000 00000000 10020000 ca46577b 00000000 00000000 04000200 00000000 00000000 00000000 34f14247 00000000 34f14247 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2007-11-20 20:27:12: DEBUG: get pfkey X_SPDDUMP message 2007-11-20 20:27:12: DEBUG2: 02120000 17000100 00000000 ce020000 03000500 ff200000 10020000 ca46577b 00000000 00000000 03000600 ff200000 10020000 cb5b82ad 00000000 00000000 07001200 02000200 05400000 00000000 28003200 02020000 10020000 ca46577b 00000000 00000000 10020000 cb5b82ad 00000000 00000000 04000200 00000000 00000000 00000000 34f14247 00000000 c1f14247 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2007-11-20 20:27:12: DEBUG: sub:0xbfbfe600: 202.70.87.123/32[0] 203.91.130.173/32[0] proto=any dir=out 2007-11-20 20:27:12: DEBUG: db :0x809fa08: 203.91.130.173/32[0] 202.70.87.123/32[0] proto=any dir=in 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: 97986acd b6c3711c 0c54bbe7 18fce101 08100501 d953545f 00000054 7fae97bf 94a077f0 2f4cc211 731009a0 5d77f1ee 202451d0 cecc9200 bba29735 6442fa30 5b69f5b6 899625ff e2fa2eda 76f27e8e 09cb1b8e 2007-11-20 20:27:31: ERROR: unknown Informational exchange received. 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: DEBUG: 276 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 00000000 00000000 01100200 00000000 00000114 0d0000a4 00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80040002 80030003 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80040001 80030003 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80040001 80030003 800b0001 000c0004 00007080 0d000018 1e2b5169 05991c7d 7c96fcbf b587e461 00000004 0d000014 4048b7d5 6ebce885 25e7de7f 00d6c2d3 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 00000014 26244d38 eddb61b3 172a36e3 d0cfb819 2007-11-20 20:27:31: DEBUG: anonymous configuration selected for 203.91.130.173[500]. 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: INFO: respond new phase 1 negotiation: 202.70.87.123[500]<=>203.91.130.173[500] 2007-11-20 20:27:31: INFO: begin Identity Protection mode. 2007-11-20 20:27:31: DEBUG: begin. 2007-11-20 20:27:31: DEBUG: seen nptype=1(sa) 2007-11-20 20:27:31: DEBUG: seen nptype=13(vid) 2007-11-20 20:27:31: DEBUG: seen nptype=13(vid) 2007-11-20 20:27:31: DEBUG: seen nptype=13(vid) 2007-11-20 20:27:31: DEBUG: seen nptype=13(vid) 2007-11-20 20:27:31: DEBUG: succeed. 2007-11-20 20:27:31: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2007-11-20 20:27:31: INFO: received Vendor ID: FRAGMENTATION 2007-11-20 20:27:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-11-20 20:27:31: DEBUG: received unknown Vendor ID 2007-11-20 20:27:31: DEBUG: total SA len=160 2007-11-20 20:27:31: DEBUG: 00000001 00000001 00000098 01010004 03000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80040002 80030003 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80040001 80030003 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80040001 80030003 800b0001 000c0004 00007080 2007-11-20 20:27:31: DEBUG: begin. 2007-11-20 20:27:31: DEBUG: seen nptype=2(prop) 2007-11-20 20:27:31: DEBUG: succeed. 2007-11-20 20:27:31: DEBUG: proposal #1 len=152 2007-11-20 20:27:31: DEBUG: begin. 2007-11-20 20:27:31: DEBUG: seen nptype=3(trns) 2007-11-20 20:27:31: DEBUG: seen nptype=3(trns) 2007-11-20 20:27:31: DEBUG: seen nptype=3(trns) 2007-11-20 20:27:31: DEBUG: seen nptype=3(trns) 2007-11-20 20:27:31: DEBUG: succeed. 2007-11-20 20:27:31: DEBUG: transform #1 len=36 2007-11-20 20:27:31: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-20 20:27:31: DEBUG: hash(sha1) 2007-11-20 20:27:31: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-20 20:27:31: DEBUG: hmac(modp1024) 2007-11-20 20:27:31: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-20 20:27:31: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-20 20:27:31: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-20 20:27:31: DEBUG: transform #2 len=36 2007-11-20 20:27:31: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5 2007-11-20 20:27:31: DEBUG: hash(md5) 2007-11-20 20:27:31: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-20 20:27:31: DEBUG: hmac(modp1024) 2007-11-20 20:27:31: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-20 20:27:31: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-20 20:27:31: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-20 20:27:31: DEBUG: transform #3 len=36 2007-11-20 20:27:31: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 2007-11-20 20:27:31: DEBUG: encryption(des) 2007-11-20 20:27:31: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-20 20:27:31: DEBUG: hash(sha1) 2007-11-20 20:27:31: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group 2007-11-20 20:27:31: DEBUG: hmac(modp768) 2007-11-20 20:27:31: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-20 20:27:31: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-20 20:27:31: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-20 20:27:31: DEBUG: transform #4 len=36 2007-11-20 20:27:31: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 2007-11-20 20:27:31: DEBUG: encryption(des) 2007-11-20 20:27:31: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5 2007-11-20 20:27:31: DEBUG: hash(md5) 2007-11-20 20:27:31: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group 2007-11-20 20:27:31: DEBUG: hmac(modp768) 2007-11-20 20:27:31: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-20 20:27:31: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-20 20:27:31: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-20 20:27:31: DEBUG: pair 1: 2007-11-20 20:27:31: DEBUG: 0x80a94e0: next=0x0 tnext=0x80a94f0 2007-11-20 20:27:31: DEBUG: 0x80a94f0: next=0x0 tnext=0x80a9500 2007-11-20 20:27:31: DEBUG: 0x80a9500: next=0x0 tnext=0x80a9510 2007-11-20 20:27:31: DEBUG: 0x80a9510: next=0x0 tnext=0x0 2007-11-20 20:27:31: DEBUG: proposal #1: 4 transform 2007-11-20 20:27:31: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=4 2007-11-20 20:27:31: DEBUG: trns#=1, trns-id=IKE 2007-11-20 20:27:31: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2007-11-20 20:27:31: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA 2007-11-20 20:27:31: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2007-11-20 20:27:31: DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures 2007-11-20 20:27:31: DEBUG: type=Life Type, flag=0x8000, lorv=seconds 2007-11-20 20:27:31: DEBUG: type=Life Duration, flag=0x0000, lorv=4 2007-11-20 20:27:31: DEBUG: Compared: DB:Peer 2007-11-20 20:27:31: DEBUG: (lifetime = 28800:28800) 2007-11-20 20:27:31: DEBUG: (lifebyte = 0:0) 2007-11-20 20:27:31: DEBUG: enctype = 3DES-CBC:3DES-CBC 2007-11-20 20:27:31: DEBUG: (encklen = 0:0) 2007-11-20 20:27:31: DEBUG: hashtype = SHA:SHA 2007-11-20 20:27:31: DEBUG: authmethod = RSA signatures:RSA signatures 2007-11-20 20:27:31: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group 2007-11-20 20:27:31: DEBUG: an acceptable proposal found. 2007-11-20 20:27:31: DEBUG: hmac(modp1024) 2007-11-20 20:27:31: DEBUG: new cookie: ee30ac4a17d6ee8b 2007-11-20 20:27:31: DEBUG: add payload of len 52, next type 13 2007-11-20 20:27:31: DEBUG: add payload of len 16, next type 0 2007-11-20 20:27:31: DEBUG: 104 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: sockname 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: send packet from 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: send packet to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: 1 times of 104 bytes message will be sent to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002 80040002 80030003 800b0001 000c0004 00007080 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2007-11-20 20:27:31: DEBUG: resend phase1 packet 0f99cf2adb2bf6a3:ee30ac4a17d6ee8b 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: DEBUG: 184 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 04100200 00000000 000000b8 0a000084 4e85c725 45a986f5 a0f20d2b dd982002 c53296c0 35612c43 0d53065a b0a5c7e9 661aaa56 46a50046 3f30d5a3 98119684 bd76515a ad95b9f9 6c5d7183 0321e23e 0815ea83 f6973157 9b12a091 fc133d89 365803d5 2146db50 ea6c1574 6986d7d7 78bec3cf e93229ce 37759460 9a5ec52e 020cc8fa fbf3b316 43c93524 fc3edbc4 00000018 64980a47 4b0b1245 8244d686 0bd0343f 134764c8 2007-11-20 20:27:31: DEBUG: begin. 2007-11-20 20:27:31: DEBUG: seen nptype=4(ke) 2007-11-20 20:27:31: DEBUG: seen nptype=10(nonce) 2007-11-20 20:27:31: DEBUG: succeed. 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: DEBUG: compute DH's private. 2007-11-20 20:27:31: DEBUG: 49cc619e 813db34a f9d4b01d 04132736 e26b8e16 fdc860d5 6ce64ef4 69633814 7d59e4cf 2c6c4656 c3fc86a3 58293c80 0e0a37f8 148cb30f 8f858f5b f44d6d4c a6ed2f66 f28a7a23 3a028212 97d32189 4353af74 fc70a28e db10e277 67a3236f e853a894 5c902a76 4a7ae6d3 e6cc8d30 f93f6e61 6da15e51 a6e023ad 6410ceb5 2007-11-20 20:27:31: DEBUG: compute DH's public. 2007-11-20 20:27:31: DEBUG: 099592c3 f66bf7df 45605144 84704464 eb40bac8 2d77d376 15268e5b 4a678fce 09a45e08 4ef19648 714379f5 ded1adf8 c6ca5f5a 7fe71529 712efef0 b4548e38 73eb352a 5ca316ee 8551a1f3 88f347b7 9a65c237 b513bd91 2a25fb00 85df8702 99180797 d0f8e91e 82407174 d8c0bee5 0366337f 6b57b426 ef442107 45276e29 2007-11-20 20:27:31: DEBUG: create my CR: X.509 Certificate Signature 2007-11-20 20:27:31: DEBUG: add payload of len 128, next type 10 2007-11-20 20:27:31: DEBUG: add payload of len 16, next type 7 2007-11-20 20:27:31: DEBUG: add payload of len 1, next type 0 2007-11-20 20:27:31: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: sockname 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: send packet from 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: send packet to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 04100200 00000000 000000b9 0a000084 099592c3 f66bf7df 45605144 84704464 eb40bac8 2d77d376 15268e5b 4a678fce 09a45e08 4ef19648 714379f5 ded1adf8 c6ca5f5a 7fe71529 712efef0 b4548e38 73eb352a 5ca316ee 8551a1f3 88f347b7 9a65c237 b513bd91 2a25fb00 85df8702 99180797 d0f8e91e 82407174 d8c0bee5 0366337f 6b57b426 ef442107 45276e29 07000014 f8a01726 a1c3f216 2d725236 6277011b 00000005 04 2007-11-20 20:27:31: DEBUG: resend phase1 packet 0f99cf2adb2bf6a3:ee30ac4a17d6ee8b 2007-11-20 20:27:31: DEBUG: compute DH's shared. 2007-11-20 20:27:31: DEBUG: 9bbaa055 88c76d7c b1fd290b d399c5cd e3fd7d3e 1579daa7 239e28b4 1b519c18 cc311190 198c89cd 26c69c38 2ad04a88 08fef2c3 75ed6f2e fa0ec13a a4bf2ab6 35661f0a 38588d4a e815a4bd 0a853c96 cc5502b8 ec727e0e 90582cf9 f1c3e1ad 783f12e2 bfdc8915 981efd03 8b9f50d4 e44d3d2e 525b1172 aae8e384 1ab53ef6 2007-11-20 20:27:31: DEBUG: nonce1: 2007-11-20 20:27:31: DEBUG: 64980a47 4b0b1245 8244d686 0bd0343f 134764c8 2007-11-20 20:27:31: DEBUG: nonce2: 2007-11-20 20:27:31: DEBUG: f8a01726 a1c3f216 2d725236 6277011b 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: SKEYID computed: 2007-11-20 20:27:31: DEBUG: 09882c9f e271f4a4 a181d9b0 6d35ba07 181e6109 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: SKEYID_d computed: 2007-11-20 20:27:31: DEBUG: f7b31593 83e8a23a 6fbb0dd8 2a1f81f8 4c5a1f53 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: SKEYID_a computed: 2007-11-20 20:27:31: DEBUG: 0d56f7b5 3a1c100b b83f978c 85a476eb 089a1cf9 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: SKEYID_e computed: 2007-11-20 20:27:31: DEBUG: 66d03d25 7858c8d2 6d7ce36a f67b3b09 1f0bf875 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: hash(sha1) 2007-11-20 20:27:31: DEBUG: len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: compute intermediate encryption key K1 2007-11-20 20:27:31: DEBUG: 00 2007-11-20 20:27:31: DEBUG: c90e0b4c 37788ed5 e8900200 ec6b0739 4b9a961a 2007-11-20 20:27:31: DEBUG: hmac(hmac_sha1) 2007-11-20 20:27:31: DEBUG: compute intermediate encryption key K2 2007-11-20 20:27:31: DEBUG: c90e0b4c 37788ed5 e8900200 ec6b0739 4b9a961a 2007-11-20 20:27:31: DEBUG: 0d44b4e7 8eb7fc58 a7beb122 dbb66c11 09c68be7 2007-11-20 20:27:31: DEBUG: final encryption key computed: 2007-11-20 20:27:31: DEBUG: c90e0b4c 37788ed5 e8900200 ec6b0739 4b9a961a 0d44b4e7 2007-11-20 20:27:31: DEBUG: hash(sha1) 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: IV computed: 2007-11-20 20:27:31: DEBUG: 0a536fb1 8fd806a7 2007-11-20 20:27:31: DEBUG: === 2007-11-20 20:27:31: DEBUG: 84 bytes message received from 203.91.130.173[500] to 202.70.87.123[500] 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 08100501 9d6a3089 00000054 5d8e333a 0bf26cc3 8eedb74b 16124d12 7ffb7bc1 9c9af7c4 b03a75f1 7274a817 367405c0 3b6a9e7d 23e168da 4a0d30ff a94585d4 14272c4c 2007-11-20 20:27:31: DEBUG: receive Information. 2007-11-20 20:27:31: DEBUG: compute IV for phase2 2007-11-20 20:27:31: DEBUG: phase1 last IV: 2007-11-20 20:27:31: DEBUG: 0a536fb1 8fd806a7 9d6a3089 2007-11-20 20:27:31: DEBUG: hash(sha1) 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: phase2 IV computed: 2007-11-20 20:27:31: DEBUG: 851268e7 9ef949af 2007-11-20 20:27:31: DEBUG: begin decryption. 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: IV was saved for next processing: 2007-11-20 20:27:31: DEBUG: a94585d4 14272c4c 2007-11-20 20:27:31: DEBUG: encryption(3des) 2007-11-20 20:27:31: DEBUG: with key: 2007-11-20 20:27:31: DEBUG: c90e0b4c 37788ed5 e8900200 ec6b0739 4b9a961a 0d44b4e7 2007-11-20 20:27:31: DEBUG: decrypted payload by IV: 2007-11-20 20:27:31: DEBUG: 851268e7 9ef949af 2007-11-20 20:27:31: DEBUG: decrypted payload, but not trimed. 2007-11-20 20:27:31: DEBUG: 0b000018 303a48d0 adbdd426 c1af17aa 1a4d59c1 1cebd133 0000001c 00000001 0110001c 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 00000000 2007-11-20 20:27:31: DEBUG: padding len=1 2007-11-20 20:27:31: DEBUG: skip to trim padding. 2007-11-20 20:27:31: DEBUG: decrypted. 2007-11-20 20:27:31: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 08100501 9d6a3089 00000054 0b000018 303a48d0 adbdd426 c1af17aa 1a4d59c1 1cebd133 0000001c 00000001 0110001c 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 00000000 2007-11-20 20:27:31: ERROR: ignore information because ISAKMP-SA has not been established yet. 2007-11-20 20:27:41: DEBUG: 185 bytes from 202.70.87.123[500] to 203.91.130.173[500] 2007-11-20 20:27:41: DEBUG: sockname 202.70.87.123[500] 2007-11-20 20:27:41: DEBUG: send packet from 202.70.87.123[500] 2007-11-20 20:27:41: DEBUG: send packet to 203.91.130.173[500] 2007-11-20 20:27:41: DEBUG: 1 times of 185 bytes message will be sent to 203.91.130.173[500] 2007-11-20 20:27:41: DEBUG: 0f99cf2a db2bf6a3 ee30ac4a 17d6ee8b 04100200 00000000 000000b9 0a000084 099592c3 f66bf7df 45605144 84704464 eb40bac8 2d77d376 15268e5b 4a678fce 09a45e08 4ef19648 714379f5 ded1adf8 c6ca5f5a 7fe71529 712efef0 b4548e38 73eb352a 5ca316ee 8551a1f3 88f347b7 9a65c237 b513bd91 2a25fb00 85df8702 99180797 d0f8e91e 82407174 d8c0bee5 0366337f 6b57b426 ef442107 45276e29 07000014 f8a01726 a1c3f216 2d725236 6277011b 00000005 04 2007-11-20 20:27:41: DEBUG: resend phase1 packet 0f99cf2adb2bf6a3:ee30ac4a17d6ee8b Regards, John VANHULLEBUS Yvan wrote: On Tue, Nov 20, 2007 at 02:57:17AM -0800, john decot wrote: > Hi, > > I have checked with different mode that obey and found error > no valid proposal and again i change lifetime too in bsd > server. But I can't found where should i have to change those > parameter in remote windows ipsec box. You shouldn't have to change setup on both ends: you can just changes values on one end (the BSD server) to match values of the other end. Acoording to the quick look I had at your previous dump and to my memory (ok, so that's probably not exact :-), you should just have to change lifetime to 28800 sec in remote section. Yvan. -- NETASQ http://www.netasq.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --------------------------------- Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 16:57:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A02F916A421 for ; Tue, 20 Nov 2007 16:57:01 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 7438F13C4AC for ; Tue, 20 Nov 2007 16:57:01 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id CFA613F1F; Tue, 20 Nov 2007 17:56:59 +0100 (CET) Date: Tue, 20 Nov 2007 17:56:59 +0100 From: VANHULLEBUS Yvan To: john decot Message-ID: <20071120165659.GA1949@zen.inc> References: <20071120123418.GA32444@zen.inc> <465714.76277.qm@web55414.mail.re4.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <465714.76277.qm@web55414.mail.re4.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 16:57:01 -0000 On Tue, Nov 20, 2007 at 08:46:28AM -0800, john decot wrote: > Hi, > > I have change life time in both side i.e 28800 sec but unlucky again. > [ > 2007-11-20 20:27:31: ERROR: ignore information because ISAKMP-SA has not been established yet. Do a tcpdump/wireshark and have a look at what's in that informational message... Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 17:29:28 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E536216A421 for ; Tue, 20 Nov 2007 17:29:28 +0000 (UTC) (envelope-from qpadla@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 7287D13C4B8 for ; Tue, 20 Nov 2007 17:29:27 +0000 (UTC) (envelope-from qpadla@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1841514nfb for ; Tue, 20 Nov 2007 09:29:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; bh=toJ9XJucrK46k1PDhG9F/GGuPLlcnOpIVFbedm3qbks=; b=U901kWp/2fP1fk+6xoqrECImb5bnaCKELaBefzMxgHLSGA9ekh06MRc5ttm5J9HLtXDr7yf97MoEIWu+45jHLtaCtBs0LuKcyivtRjgHQZFPH6zllVOr41eEY7i7xwWmcnpYxEEaQHD8XIxQf+VLc4Q5sASCw4WKfjq8FQkewzg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=UYaSXMLCCL6g/FUuxNS3Tw4+eeaREFRvoVbi7sLW2S9orC0//RZ35J/sTtV4z2owaxuAPpDDHPd8vpmR2iLnk20T7sgSYFn2oNrnWIumyQiRcFHoqoLWLANyFtRuENCToNfGyxN5djhiKh4Owlkln5zZmmYYqJw97J5GKjgmT4I= Received: by 10.78.118.5 with SMTP id q5mr7011921huc.1195578089092; Tue, 20 Nov 2007 09:01:29 -0800 (PST) Received: from orion ( [89.162.141.1]) by mx.google.com with ESMTPS id k10sm8246222nfh.2007.11.20.09.01.26 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Nov 2007 09:01:27 -0800 (PST) From: Nikolay Pavlov To: freebsd-security@freebsd.org Date: Tue, 20 Nov 2007 19:01:20 +0200 User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405) References: <200711200941.52719.johnpollock@bellsouth.net> In-Reply-To: <200711200941.52719.johnpollock@bellsouth.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2161170.EXYidJLSFf"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711201901.28546.qpadla@gmail.com> Cc: JP Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: qpadla@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 17:29:29 -0000 --nextPart2161170.EXYidJLSFf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 November 2007 16:41:52 JP wrote: > Running freeBSD 6.1 > > After changing chkrootkit to the latest version V. 0.47 and compiling it > then running it I get the following: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 6667) > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... vr0 is not promisc > Checking `w55808'... not infected > Checking `wted'... chkwtmp: nothing deleted > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Looking above, the above shows a few anomalies like the bindshell ... > INFECTED (PORTS: 6667) > --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed > > I do run an IRCd, and also YABB Message board along with APACHE web > server - would the above then be normal output, and what about the lkm? > Many thanks to those with more experience in this area. > Such tools is known to trigger false positives sometimes. I'd recommend to= =20 play with some additional utilities like lsof. In case of bindshell try to= =20 find processes that was executed from world writable directories such=20 as /tmp. Try to shutdown httpd and other daemons and see if any of them=20 still running.=20 =2D-=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 =2D Best regards, Nikolay Pavlov. <<<----------------------------------- = =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --nextPart2161170.EXYidJLSFf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBHQxLo/2R6KvEYGaIRAgO6AKCdyt/Xb48JwvriybSNgI39ZWkdzgCg6pXz m6qVgmTeYbFrT4eNokrTLmc= =6PRK -----END PGP SIGNATURE----- --nextPart2161170.EXYidJLSFf-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 21 11:11:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E7216A46B for ; Wed, 21 Nov 2007 11:11:05 +0000 (UTC) (envelope-from roam@straylight.ringlet.net) Received: from straylight.ringlet.net (nat109.cnsys.bg [85.95.80.109]) by mx1.freebsd.org (Postfix) with SMTP id 1B11E13C468 for ; Wed, 21 Nov 2007 11:11:04 +0000 (UTC) (envelope-from roam@straylight.ringlet.net) Received: (qmail 71264 invoked by uid 1000); 21 Nov 2007 10:44:21 -0000 Date: Wed, 21 Nov 2007 12:44:21 +0200 From: Peter Pentchev To: Nikolay Pavlov Message-ID: <20071121104421.GA1147@straylight.m.ringlet.net> Mail-Followup-To: Nikolay Pavlov , freebsd-security@freebsd.org, JP References: <200711200941.52719.johnpollock@bellsouth.net> <200711201901.28546.qpadla@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <200711201901.28546.qpadla@gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org, JP Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 11:11:05 -0000 --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote: > On Tuesday 20 November 2007 16:41:52 JP wrote: > > Running freeBSD 6.1 > > > > After changing chkrootkit to the latest version V. 0.47 and compiling it > > then running it I get the following: [snip] > > Checking `bindshell'... INFECTED (PORTS: 6667) [snip] > > > > I do run an IRCd... >=20 > Such tools is known to trigger false positives sometimes. I'd recommend t= o=20 > play with some additional utilities like lsof. In case of bindshell try t= o=20 > find processes that was executed from world writable directories such=20 > as /tmp. Try to shutdown httpd and other daemons and see if any of them= =20 > still running.=20 The bindshell is most probably a false positive - chkrootkit just checks if anything is listening on "unusual" ports. Since 6667 is one of the most often used well-known ports for IRC communication, this is most probably a false positive. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHRAwF7Ri2jRYZRVMRAojrAJ9TqCwFI8sPVoUTcceKuYdU5F1pKwCfShHl GFwdVNGsNiwtxra7dePjdeM= =MkAs -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 22 15:08:35 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3354516A475 for ; Thu, 22 Nov 2007 15:08:35 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55408.mail.re4.yahoo.com (web55408.mail.re4.yahoo.com [206.190.58.202]) by mx1.freebsd.org (Postfix) with SMTP id A7B5E13C4D5 for ; Thu, 22 Nov 2007 15:08:34 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 16955 invoked by uid 60001); 22 Nov 2007 15:08:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=M4sxi3VHdDbyJd8BaJmmd0dhQ/vdsAttewcZWsXBzPH48KHNIaR9zEWqh3Eh/SNAWgpvfQ4cyKoD9bRcJEZ2Ltm10O8VMmj+cL37X4mNUgPJlfrPlqTpKuiH0lCcJ5bhoYcVfx/bwDovZWvu9Mu28kDAiZ7mLkQlo3mXYyaffEk=; X-YMail-OSG: .KyiKVQVM1nO27t8rsglm_5U6BEEKuPROxA7ytfPUrTIqbI0djPG8pUKXlkX7VOj070UcuwZvZ8Fo_Zs1lhrbAyH7n.k.KSqQQrdaDpxbM6YYymT_bYCtWVMhBJ4eHZieE4.Obtj5PcK82QCqeR1IIJ1Zg-- Received: from [203.91.130.173] by web55408.mail.re4.yahoo.com via HTTP; Thu, 22 Nov 2007 07:08:21 PST Date: Thu, 22 Nov 2007 07:08:21 -0800 (PST) From: john decot To: VANHULLEBUS Yvan In-Reply-To: <20071120165659.GA1949@zen.inc> MIME-Version: 1.0 Message-ID: <201510.15632.qm@web55408.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2007 15:08:35 -0000 Hi, tcpdump shows only isakmp information , there is no information about esp and AH header. 08:05:55.761245 IP 202.70.87.123.isakmp > ws130173.corporate-access.com.isakmp: isakmp: phase 1 ? ident[E] 08:05:55.775403 IP 202.70.87.121 > 202.70.87.123: ICMP redirect ws130173.corporate-access.com to host ws130173.corporate-access.com, length 556 08:05:55.778172 IP 202.70.87.123.isakmp > ws130173.corporate-access.com.isakmp: isakmp: phase 1 ? ident[E] Regards, John VANHULLEBUS Yvan wrote: On Tue, Nov 20, 2007 at 08:46:28AM -0800, john decot wrote: > Hi, > > I have change life time in both side i.e 28800 sec but unlucky again. > [ > 2007-11-20 20:27:31: ERROR: ignore information because ISAKMP-SA has not been established yet. Do a tcpdump/wireshark and have a look at what's in that informational message... Yvan. -- NETASQ http://www.netasq.com --------------------------------- Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.