Difference between revisions of "7lab"

From Tmplab
(OpenVPN Server configs)
 
(2 intermediate revisions by the same user not shown)
Line 243: Line 243:
  
 
# Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz  
 
# Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz  
# Create server keys
+
# edit vars
 +
# ./build-dh
 +
# ./pkitool --initca
 +
# Create server keys: ./pkitool --server myserver
 
# Copy them to /etc/openvpn:
 
# Copy them to /etc/openvpn:
 
# cp keys/ca.* /etc/openvpn/
 
# cp keys/ca.* /etc/openvpn/
 
# cp keys/server1.* /etc/openvpn/
 
# cp keys/server1.* /etc/openvpn/
# cp keys/01.pem /etc/openvpn/dh1024.pem
+
# cp keys/dh1024.pem /etc/openvpn/
 
# Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
 
# Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
 
# edit /etc/openvpn/server.conf
 
# edit /etc/openvpn/server.conf
Line 339: Line 342:
 
== XOT ==
 
== XOT ==
 
* http://www.fyonne.net/
 
* http://www.fyonne.net/
 +
 +
= Links =
 +
* http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3Ahttp%3A%2F%2Fwww.eurescom.eu%2F~pub-deliverables%2F+security+ss7&aq=f&oq=&aqi=

Latest revision as of 23:26, 10 November 2009

Intro

Testing with:

  • Dynagen & Dynamips (GNS3 not yet working on my Mac)

Future:

  • Asterisk with chan-ss7
  • Intel SS7 stack
  • OpenSS7 new release
  • Kannel

Network

Addressing

tmp (France)

  • 10.42.0-9.x


  • R1 dynamips Cisco ITP
    • 10.0.0.150
    • 10.42.1.1
    • PC: 4.2.1
    • x25: x25routerR1 250
  • R2 dynamips Cisco ITP
    • 10.0.0.160
    • 10.42.2.1
    • PC: 4.2.2
    • x25: x25routerR2 150


  • NET Intel SS7: 10.42.5.x
    • tee1 - Debian 5.02
      • 10.0.0.51
      • 10.42.5.1
      • IP Router, add it:
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
    • tee2 - Debian 5.02
      • 10.0.0.52
      • 10.42.5.2


  • NET Clients VPNSSL: 10.42.8.x
    • tee1 - Debian 5.02
      • 10.42.8.1

bkk (Bangkok, Thailand)

  • 10.42.32.x
  • kin 10.211.55.7, 10.42.32.102
  • mac (parallels 10.211.55.3) 10.42.32.2 VM: kin
  • kiwi 10.42.32.1 VM: 10.42.32.101

tw (Taiwan)

  • 10.42.50-59.x

Source Configuration

GIT

Commands

  • Get your copy
git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
  • Make some modification and compare
git diff
  • Update your local copy with the master repository changes
git pull
  • Add some files to your GIT repository
git add File14 
git add Dir32
  • Commit these changes and new files to your local GIT repository
git commit -m "Comment message here"
  • Push your changes to the master repository
git push origin master

Installation

OpenSS7

On Ubuntu 8.04 (only this version, highly kernel version dependent)

apt-get install groff-base info bison flex
apt-get install linux-libc-dev libc6-dev libperl-dev
./configure --without-snmp
make
make install

M3UA

  • Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c

SCTPlib

kextload /System/Library/Extensions/SCTP.kext
  • In order to compile the examples programs (echo_tool etc...) with SCTPlib:
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \ 
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ 
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_server echo_server.c sctp_wrapper.c  -lsctplib

gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_tool echo_tool.c sctp_wrapper.c  -lsctplib
  • NKE and SCTPlib are mutually exclusive.

Intel / Dialogic SS7 stack

Configuration differences between two peers

  • Useful bits
    • For logging
FORK_PROCESS    ./s7_log -fms7.log -o0xff1f -pms7.pcap
  • Between two different configs
# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt
6c6,8
< CNSYS:IPADDR=192.168.0.2,PER=0;
---
> CNSYS:IPADDR=192.168.0.1,PER=0;
> *
> SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565;
8,9d9
< SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565;
< *
16,17c16,17
< * <ssf>
< MTP_LINKSET  0  1  1  0x0000 2 0x08
---
> *             <ssf>
> MTP_LINKSET  0  2  1  0x0000 1 0x08
26c26
< MTP_ROUTE  1  0  0x0008
---
> MTP_ROUTE  2  0  0x0008
31c31
< SCCP_CONFIG 2 0x8 0x0102
---
> SCCP_CONFIG 1 0x8 0x0102
39c39
< SCCP_SSR 1 RSP 1 0 0x0000
---
> SCCP_SSR 1 RSP 2 0 0x0000
47c47
< SCCP_SSR 3 RSS 1 0x08 0
---
> SCCP_SSR 3 RSS 2 0x08 0

Commands for MTU/MTR

  • Link activation
./mtpsl ACT 0 0
  • SS7 MSU Play
./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
  • Combined
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\
sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
./gctload -x; sleep 3; (./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\
./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\
-m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"

Configurations

Hamachi

Quick Start

Run 'make install' and then 'tuncfg' from under the root account
Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account).
Run 'hamachi start' to launch Hamachi daemon.
Run 'hamachi login' to put the daemon online and to create an account.
Run 'hamachi join <network>' to join the network.
Run 'hamachi go-online <network>' to go online in the network.
Run 'hamachi list' to list network members and their status.


OpenVPN

Introduction

Good tutorials can be found here:

we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.

OpenVPN Certificates

On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/

OpenVPN Client configs

client
dev tun
proto tcp
remote lab.tstf.net 1337
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ns-cert-type server
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key

OpenVPN Server configs

See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

  1. Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
  2. edit vars
  3. ./build-dh
  4. ./pkitool --initca
  5. Create server keys: ./pkitool --server myserver
  6. Copy them to /etc/openvpn:
  7. cp keys/ca.* /etc/openvpn/
  8. cp keys/server1.* /etc/openvpn/
  9. cp keys/dh1024.pem /etc/openvpn/
  10. Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  11. edit /etc/openvpn/server.conf


Example Configuration

local [EXTERNALIP] port 8443 proto tcp dev tap0

  1. we'll add section how to manage certs later

ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem

  1. this will allow for people to get the same IP address after a reconnect

ifconfig-pool-persist /etc/openvpn/ipp.txt

keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /tmp/openvpn-status.log log-append /var/log/openvpn.log verb 6

Networking

/etc/init.d/net-addroute

#!/bin/sh
### BEGIN INIT INFO
# Provides:          net-addroute   
# Required-Start:    $all
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Adds 7Bone default routes at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51

case "$1" in
start)
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

stop)
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

force-reload|restart)
        echo "No reload possibility for this script"
        ;;

*)
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0

Cisco ITP

  1. cs7 variant itu
  2. cs7 point-code 1.2.3
  3. Maybe: cs7 capability-pc 1.2.3

Diagnostics

SIGTRAN sniffing

  • wireshark
  • Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:
sctp.chunk_type != 4 and sctp.chunk_type != 5
  • Check inits
sctp.chunk_type == 1

Testing

Security

XOT

Links