Friday, 2 November 2012

Windows 8: Hyper-V Issues Solved

A quick post to detail my struggles with Hyper-V installation


I recently upgraded to Windows 8 Pro and wanted to take use of Hyper-V, Microsofts hypervisor / virtual machine host.

Enabling Hyper-V in Windows was tricky however, here are the steps I went through:

- Search start screen for "windows features" in the "settings" search and click "turn windows features on or off"
- Turn on "Hyper-V"
- Machine will need to reboot
- For me, Hyper-V wasnt working when it came back up, reboot again. Guides say you may need to pull out power cable when it's off and remove battery.
- Hyper V worked but trying to start a VM or install a network switch gave "cannot connect to localhost" issues
- I went to network adapters, my ethernet adaptor and then installed the "hyper-v" protocol. This disabled my ethernet access
- In frustration I removed Hyper-V
- I calmed down and re-enabled Hyper-V
- This time everything worked fine

Summary:

"localhost" issues with Hyper-V are networking related, your networking may not have installed cleanly
Re-installing can help

Friday, 3 August 2012

Severe Security Issues with MSChapV2

*Introduction*

Those of you who went to or follow the Defcon conference in vegas may have seen Moxie Marlinspike's work on MSChapV2. This is the auth scheme i recommended for the raspberry pi pptp vpn. Ie, when the client connects to the VPN, it is the scheme by which the client proves it knows the password without sending the password in cleartext.

A problem i was aware of with MSChapV2 was that the password is bruteforceable, ie if an attacker can capture you connecting to your VPN (ie in a wifi cafe) then they can attempt to crack your password. If the password is weak and they are successful, they can decrypt all of your traffic and also connect to the the network themselves.

However, Moxie analysed MSChapV2 and found a significant design flaw, that is worth reading about: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
in short, he found that the whole protocol can be reduced down to a single (56bit) DES encryption, and if you can crack that you can crack MSChapV2. He then worked with David Hulton, an FPGA wiz, to crack DES in under 24 hours. He has made this service available on his website https://www.cloudcracker.com.

*Summary*

So, in summary, if you use a PPTP VPN with MSChapV2 (as i described), someone could intercept that traffic and decrypt all of it 100% reliably and potentially provide access to your network. This is obviously very bad.

*Risk*

Now the risk talk. If you're an average individual, you're unlikely to be on a network with an attacker capable and motivated enough to do it. The risk is very real, but i would say fairly low for now. The VPN will certainly make you safer against a certain level of attacker (ie someone just sniffing open wifi points). This is clearly not a perfect strategy so i will be working on a second guide to use the RasPi as a IPSEC VPN endpoint as this is also supported by the iDevices and is currently believed to be stronger.

Thanks to Moxie for making this public and providing such an entertaining talk!

Thursday, 21 June 2012

RaspberryPi as a PPTP VPN Server - HOWTO

*Introduction*


IMPORTANT UPDATE: Severe security issues found in MSChapV2, ie the scheme described below, see http://jmparound.blogspot.com/2012/08/severe-security-issues-with-mschapv2.html for discussion of how it relates to the RasPi VPN.

Having received a Raspberry Pi, the best usage I saw for it was as a £35, 5W VPN endpoint. Maybe at some point in the future I'll add other features (SMB, Radius Auth, Log files from router) but for now, that would rock.

I looked at VPN schemes. OpenVPN crops up a few times on blogs, but with a significant problem that you generally need a client for it that isnt always available. My goal is to have a VPN that works "out of the box" with windows 7 (laptop) and iPad. The best option seems to be a PPTP VPN. There are a couple of guides to getting this working but none which were idiot-proof to my level of idiocy so I am currently trying to work it out.

First things first, I copied the RasPi Debian image onto an SD card with unetbootin. This didnt work. The Raspberry Pi just sits there with a power led and no activity leds.The diskimagerpro or whatever is recommended on the RasPi site is needed.

I copied over the debian image and changed the name of boot_enable_ssh.rc to boot.rc to enable ssh. I figured at some point i would need to run iptables so tried to fire it up but no luck. It seems the RasPi debian kernel is configured without the modules needed for iptables.

One note before you start, if you havent discovered the linux "screen" command, do it before you start, theres a bunch of stages that either take ages or make your connection drop so running commands within screen will save your bacon as when the connection drops itll just detach and your commands keep running. You can then reattach when the connection comes back up.

*Getting SSH, HDMI and pacman working on Arch on the Pi*

I decided to compile my own kernel (first time!) and so followed the guide at http://elinux.org/RPi_Kernel_Compilation exactly. This meant installing Arch. Arch linux on the Raspberry Pi didnt start an SSH server and wouldnt recognise my HDMI connection. Some people in the #raspberrypi room at freenet pointed me at some docs that showed editing the config.txt file on the SD card to add "hdmi_safe" instead of "hdmi_mode=19" worked. The SSH host key had apparently dissapeared so recreated it with ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key After this i could administer it by SSH. I needed to install things like "screen" so tried "pacman -S screen" but got 404 errors. Some googling suggested i needed to synchronize the repositories so "pacman -Sy pacman" and then pressing "n" when it asked seemed to magically make it work. After that I followed the kernel compilation guide but discovered it wasnt fully n00b friendly. 


*Kernel Compilation for PPTP*
I git cloned the raspberry pi kernel but did need to use "--depth 1" to not get a memory error. I cloned it to /root/raspberrypi. i used zcat to create the .config file at /root/raspberrypi/linux/.config and then in the ../linux directory ran "menuconfig"
I followed the notes at http://en.gentoo-wiki.com/wiki/PPTP to give me an idea as to the kernel options to select. Following that i ran "make" (in a screen session!!) and left it overnight
The kernel image needed to be prepared for the pi and the page at elinux said to use the tools download. GIT cloning them always resulted in out of memory errors so i downloaded the files manually from a windows box, copied them over and ran dos2unix on them to make sure they were ok. Note here, the tutorial suggests you just need the python file, you need all of them. Once i had prepared the image, i copied it as per the tutorial and rebooted. Win.
<edit: i have since found out that iptables is already enabled in the Arch image, still, im not sure the other bits needed for PPTP is so it may be worth following this>

*Installing PPTP Server in Arch*
I followed the page at https://wiki.archlinux.org/index.php/PPTP_Server which was generally pretty good. Installed pptpd using pacman -S pptpd and then followed the guide. The only changes i made was to change the DNS servers from googles (8.8.8.8) to my main router.I also didn't need to do the ufw-config bit as had configured iptables already. The only bit that required some understanding was the remoteip bit. It seems that localip is the ip address of the RasPi and remoteip is the addresses you want VPN clients to assume.

*Client Config*
So, i supposedly had the Pi configured as a VPN server. I set up dynamic DNS so i could track my IP as it changed and then port forwarded tcp 1723 to the Pi. Thankfully my router worked out forwarding GRE itself as there were no obvious options for it. For Win7, open "Network and Sharing" centre and click "Set up a new Connection or Network". Select "Connect to a Workplace" and then choose "no, create a new connection". Click "Use my internet connection" and for the internet address use your home IP or the dynamic DNS name you have set up. Select, "dont connect now, just create", you can then skip the next stage without putting in credentials.

It will have created the adapter so go back to Network and sharing centre and click "manage network adapters". Right click on the newly created VPN adapted and choose "properties". On the security tab, change "type of VPN" to "PPTP" and underneath uncheck the boxes so that only MS-CHAP v2 is allowed. Click ok and try to connect. It should work once you have entered the username and password that correspond to what you put in the "ms-chap-secrets" file.

Now i got a wierd problem here. I could connect to www.google.com but not any complex site. Ping worked but anything more complex didnt seem to. Some very smart people helped me debug it and it found that there had been something screwy in the MTU (maximum transmissable unit) set by windows. Ie the RasPi was forwarding the packets but they were never making it to my windows box. After (much) trial and stress, I eventually found this solution http://support.microsoft.com/kb/826159 which (following a reboot) seems to work like a charm. If this doesnt work for you then one thing I did do that might have affected it was change the MTU on the RasPi's ethernet connection to 1395. I did this through ifconfig eth0 mtu 1395 and then ifconfig eth0 down && ifconfig eth0 up. Not certain this is necessary though.

*iPad config*
Ipad wasnt too bad, goto the network settings page, in there find the vpn part and configure a new connection. Put in all the basic details and away you go! Worked first time for me.