Latest News
Tech News
Google+ Hangout Details
Written by Jason Kendall Thursday, 30 June 2011 22:19
So one of the first things I played with when I got my Google+ was the Hangout feature - to kinda give a quick overview, it allows you and 9 others to create a room where you can see and talk using your Webcam and Mic, there is a Chat box and the options to share youtube videos. But thats not what this is about - this is about HOW it works, I'm a hacker after all ;)
So first things first, we wanted to check out the TCP connections - At first glace those are easy to see but what was interesting about it was the connections were only to Localhost - this wasn't analysed yet to see what those were for, I'm assuming it has to do with interconnects between some backend process and the web plugin.
Today, I started looking at the UDP packets, and to my surprise (After clearing out all of Skype connections) there was only ONE UDP stream, and only going to ONE IP address.
This IP has the following information:
me@server:~# nslookup 209.85.225.127 Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: 127.225.85.209.in-addr.arpa name = iy-in-f127.1e100.net. Authoritative answers can be found from: 225.85.209.in-addr.arpa nameserver = ns3.google.com. 225.85.209.in-addr.arpa nameserver = ns1.google.com. 225.85.209.in-addr.arpa nameserver = ns4.google.com. 225.85.209.in-addr.arpa nameserver = ns2.google.com. ns3.google.com internet address = 216.239.36.10 ns1.google.com internet address = 216.239.32.10 ns4.google.com internet address = 216.239.38.10 ns2.google.com internet address = 216.239.34.10
So it looks like all the Video and Audio traffic is going though the one server (in this instance)
The process handling this traffic is:
udp 0 0 10.0.0.100:50437 0.0.0.0:* 12349/GoogleTalkPlu
udp 0 0 10.0.0.100:42549 0.0.0.0:* 12349/GoogleTalkPlu
udp 0 0 10.0.0.100:56608 0.0.0.0:* 12349/GoogleTalkPlu
All with the same Destination port of: 19305
Update 1:
Another interesting point is that the SERVER is sending STUN requests with the username attribute set to a random string to the client - to which the client is sending back the username and the servers "client" address.
Update 2 (Biggie):
Seems there is a little Data Leakage and infrastructure data. My client will also send out STUN requests to the server, however, when the SERVER responds - It returns an 10.13.32.10 - Safe to say, that isn't my internal, nor external IP address. This seems to suggest the servers are being load balancers and the STUN server isn't seeing MY external IP, but the internal IP of the load balancer. -- It's also reporting back a different port then any port in my captures.
Update 3:
Control and Chat are sent via encrypted XMPP - Nothing really surprising there to say the least. However, switching into YouTube mode, did not provide an XMPP event. (The Youtube request I found out is carried out by in the HTTPS stream) This XMPP server is located at 209.85.225.125 Duh, should have checked this - this turned out to be my GoogleTalk account ;)
Update 4:
Starting a new stream (and no one joined yet) - The same Server IP addresses and ports where seen. Random Client side ports are used, as expected. However, upon deeper inspection, a 4th port is used. The full list of ports used for the plugin is (New session then above):
me@server:/usr/local# netstat -anp | grep Google tcp 0 0 127.0.0.1:50981 0.0.0.0:* LISTEN 13116/GoogleTalkPlu tcp 0 0 127.0.0.1:50981 127.0.0.1:53486 ESTABLISHED 13116/GoogleTalkPlu tcp 0 0 127.0.0.1:50981 127.0.0.1:53458 ESTABLISHED 13116/GoogleTalkPlu tcp 0 0 127.0.0.1:50981 127.0.0.1:52903 ESTABLISHED 13116/GoogleTalkPlu udp 0 0 10.0.0.100:42102 0.0.0.0:* 13116/GoogleTalkPlu udp 0 0 10.0.0.100:35009 0.0.0.0:* 13116/GoogleTalkPlu udp 0 0 10.0.0.100:44302 0.0.0.0:* 13116/GoogleTalkPlu udp 0 0 10.0.0.100:36667 0.0.0.0:* 13116/GoogleTalkPlu unix 2 [ ] DGRAM 1814743 13116/GoogleTalkPlu @google-nacl-GoogleTalkPlugin unix 3 [ ] SEQPACKET CONNECTED 1833112 13116/GoogleTalkPlu unix 3 [ ] SEQPACKET CONNECTED 1830401 13116/GoogleTalkPlu unix 3 [ ] STREAM CONNECTED 1790867 13116/GoogleTalkPlu
The interesting part is the localhost connections. These connections only appear to be TCP packets with [PSH,ACK] and an [ACK] reply. There is data in the PSH packet, looks like statistics and maybe some control details. Example Data:
["jmidata","
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
","c2018723930","1890",[[{"b":763553,"en":114,"fl":-1,"j":-1,"p":23916,"rtt":-1,"s":3493708127,"t":"s"}],[{"b":0,"fir":15,"fps":12,"h":360,"nack":457,"nbr":176000,"p":
t["jai","
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
","c2018723930","0",["0",[]],"5"]
n["comment","SSRC 2 render input fps: 14,12,12,12,11,13,12,12,12,12 output fps: 14,12,12,12,11,13,12,12,12,12"]
n["comment","SSRC 2 render input fps: 14,12,12,12,12,12,12,12,12,12 output fps: 15,12,12,12,11,13,12,12,12,12"]
["trstate","
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
","c2018723930",{"allWritable":true,"anyRelay":false,"anyTcp":false,"anyWritable":true,"smoothedBWRecv":229738,"smoothedBWSend":495285}]
So there is some FPS stats, and state date communicated via loopback in the same processes. Interesting, using GDB I caused a restart of the process - it kept the old ports open and created new threads.
Update 5:
Turning to the Binary we found these interesting strings:
received-voice.rtpdump
sent-voice.rtpdump
received-video.rtpdump
sent-video.rtpdump
application/aecdump
application/rtpdump application/x-bzip
google:jingle
urn:xmpp:jingle:1
stun.l.google.com
Seems there is also some references to the GIPS codec (http://www.voip-info.org/wiki/view/GIPS) and H.264 (http://en.wikipedia.org/wiki/H.264/MPEG-4_AVC) and what appears to be ICEMediaStreams. This domain also popped up: http://www.vidyo.com/
Using DNS Hash to validate Binary Files
Written by Jason Kendall Thursday, 02 June 2011 14:03
So I was having an interesting conversation with Eric Cowperthwaite (e_cowperthwaite) on twitter around the concept of OS on hardware and the topic turned to a concept that failed a number of years ago - thin clients. The concept is you have a small footprint box at the desktop, which is hardware only - it then connects to some back end system which handles all the compute power and displays the results back on the thin client. We talked about a project called CoreBoot which originally was LinuxBios with a goal of putting Linux on BIOS chips. They since have moved into making any OS available on the BIOS chip, but that's neither here nor there of this post.The problem was noted that how does one verify any binary blobs which extent whats on the bios - Think TFTP server holding a CramFS based operating structure. If the attacker was able to modify that file, they would be able to p0wn all the boxes that used that image.
I jokingly suggested using DNS to return the hash of the image. I say jokingly because originally, I hadn't thought the concept though, and was more pointing out how often we take DNS and bend it to do things it was never intended. But lets look at this and play it out:
1. Coreboot initializes a kernel - for simplicity, we'll say it's Linux
2. Once it boots the kernel, it will require some sort of base file system, so it will go out and acquire a config file based on MAC address (think VoIP phones)
3. It will validate the config file by doing a DNS TXT query on an internal DNS system which will return a predefined HASH of the file
4. The config file will then point coreboot to the actual image it should download (in case there is multiple images available)
5. Once it downloads, and before it boots, it again uses DNS TXT queries to validate the image.
Why do this? Well:
1. Most companies already have this infrastructure
2. Would reduce the surface areas available to attackers
3. If the TFTP server and DNS systems are separate, requires the attacker compromise multiple systems
I'm sure there is caveat, and I'm sure someone will point them all out, like DNS/DHCP spoofing and other network issues, but I think this is an option that could be built upon and expanded.
[ Disclaimer - This posting does not provide my permission to use this idea in a commercial product. ]
OMGWTFRUKIDDINGME AKA Coastering CDs in Ubuntu
Written by Jason Kendall Wednesday, 23 February 2011 23:38
Short and sweet blog posting.I kept getting this error every time I tried to burn a CD, so far today I coastered 4 CDs trying to resolve this issue:
Errno: 5 (Input/output error), write_g1 scsi sendcmd: no error
First hit in google was a Ubuntu Launchpad bug report from Oct 2007 - https://bugs.launchpad.net/ubuntu/+source/k3b/+bug/149076 - SERIOUSLY?! Still not fixed in 10.10, 3+ years later?!
Fix:
Add the following PPA: https://launchpad.net/~brandonsnider/+archive/cdrtools by running the following command:sudo add-apt-repository ppa:brandonsnider/cdrtools
Then, sudo apt-get install cdrecord - This will remove the crappy wodim that comes stock, and replaces it with the good ol' cdrecord we used to love. Damn you Ubuntu!
Not only did that fix the issue - the burn speed was way faster too.
Speeding Up Flash in Linux
Written by Jason Kendall Monday, 21 February 2011 20:10
My wife was pissed. Enough Said.She couldn't play her damn facebook games - you know what that means, that means I better fix it. Good excuse for a new computer (See other post), I still plan on getting a new one, but there had to be a way to speed up what I already had.
I wanted to expand on what I found here: http://ulyssesonline.com/2010/10/15/adobe-flash-in-linux-is-slow/ and of course ensure it stays available on the web.
Here is the recommended steps from there, and anything else I can find on the net on this subject.
FlashBlock:
"Never be annoyed by a Flash animation again! Blocks Flash so it won't get in your way, but if you want to see it, just click on..."
Wow, what an idea - stop those stupid flash ads from playing and wasting my CPU time, even when I leave the pages open for reference.
Link: https://addons.mozilla.org/en-US/firefox/addon/flashblock/
Webpage Cache in Ram:
One other thing that was suggested is to put browser cache into ram. I did this first to see what the improvements were - I have to admit, I love it ;)Short how to for firefox on Ubuntu
- Stop Firefox
- Add the following line to /etc/fstab:
none /home/[USER]/Cache tmpfs size=1G,nr_inodes=10k,mode=0700 0 0 - Link the Firefox Cache to this folder:
Under /home/[USER]/.mozilla/firefox you will find "default" profile, in that folder, mv Cache to a backup, just in case, then ln Cache /home/[USER]/Cache
It turns out, some apps don't like it when you block flash games - In flashblock options, you can add sites white lists. The problem with facebook is, the apps run inside an iframe, so just white listing apps.facebook.com isn't going to work. I'm going to catalog some URLs of games I come across that require whitelisting.
- Facebook
- Farmville: http://*.farmville.com/*
- Zynga Games: http://*.zynga.com/*
New computer
Written by Jason Kendall Saturday, 12 February 2011 16:34
So, some of you know that recently I found out my desktop is running around 5-6 Years old. It kinda explained why things ran so slow. I haven't BUILT a desktop in years, mostly because the last time I tried, you had to watch CPU/Motherboard matching.I started to look at bundles, and a site I look at sometimes has a nice build guide: http://www.mmo-champion.com/content/2151-Guides-Contest-Guild-Reputation-Setup-of-the-Month-Recruitment-Comics (Scroll down)
In their build suggestion, I was looking at Narwhal and when I looked at the price here locally, I could do it about the same, not including Case, CDRom, HDD and other things I don't really need.
My current vendor of choice is Canada Computers, I find they are reasonable, and not as pushy as TigerDirect has be come. So I started looking at the site to see what they had, pre-built. I settled on http://canadacomputers.com/product_info.php?cPath=7_121&item_id=035681 and asked for comments via Twitter. @marshray pointed out the following:
@coolacid another $100 might make a big difference on the video card. The 'Home' OS? Oh and that chipset is defective http://bit.ly/g4BpzISigh - I didn't care for the M$ Tax, I use Linux on my desktop. And a defective chipset. Back to the drawing board. Fortunatly, he suggested I look at the Gigabyte GA-880GM-UD2H and AMD Phenom II 1055T. I have been a fan of AMD for a long time, but getting tired of their lack of quality linux video drivers. But what the hell, lets price it out:
Motherboard:
Gigabyte GA-880GM-UD2H Socket AM3 (Six-Core Support) AMD 880G + SB710 Chipset ATI Radeon HD 4250 Graphics with HDMI/DVI/VGA Dual-Channel DDR3 1800+/1333/1066 MHz 8-Channel HD Audio Gigabit LAN 5x SATA 3Gb/s + 1x eSATA3Gb/s 12x USB 2.0 Micro ATX
http://canadacomputers.com/product_info.php?cPath=26_340&item_id=030753
CPU:
AMD Phenom II X6 1055T (125W) Six Core Socket AM3, 2.8GHz, 9Mb Cache, 2000MHz HT, 45nm (HDT55TFBGRBOX)http://canadacomputers.com/product_info.php?cPath=4_64&item_id=030520
RAM:
Mushkin Silverline 8GB (2x4GB) DDR3 1333MHz CL9 DIMMs (996770)http://canadacomputers.com/product_info.php?cPath=24_311_312_611&item_id=035006
Video:
Asus ENGTX470/2DI/1280MD5 nVidia GeForce GTX 470 Chipset (607Mhz) 1280MB (3348Mhz) GDDR5 Dual Dual-Link DVI-I/HDMI Display PCI-Express 2.0 Graphics Cardhttp://canadacomputers.com/product_info.php?cPath=43_557_559&item_id=030349
Power:
Antec TP-750 Blue Truepower New 750W Continuous Power Supplyhttp://canadacomputers.com/product_info.php?cPath=33_443&item_id=021535
Motherboard: 87.99
CPU: 174.99
RAM: 76.99
Video: 267.99
Power: 125.99
Total: 732.95
I don't include mail in rebates - I don't ever expect them to work ;) Comments and suggestions welcomed!
Update: (Mail In Rebates)
Just to Kinda keep all this together MIRs come out to about $65. So IF the MIR actually go though, total cost before tax would be: $667.96
More Articles...
Page 2 of 16
«StartPrev12345678910NextEnd»Login Form
My Certifications
