Playing with Kali-box and Omnia

Hi All

My Turris is working perfectly since the 3.4 Patch (Thank You Cz.nic team). Being the very cautious and a little paranoid about Security, I have everything nailed down tight and Control everything. I have Static Leases on most Mac addresses however still allow DHCP allocation for the occasional visitor to get onto my network. Yesterday I kept losing my Internet Connection however thought nothing about it, this morning was the same. I have been investigating my DHCP, Logs and Leases and have discovered I have had an unwelcome Hacker on my LAN / one of my VLANS. I have taken suitable precautions to prevent the Hacker getting in again however the question remains unanswered about how the Hacker got in? At this time It does coincide with me adding some new Hardware onto my LAN and so am associating it to that connection!

Has anyone else experienced any Security breaches with their Turris??

You have to describe the problem a little bit more detail. The VLAN via wifi? How is it set? How do you have a strong password? The SSID of the open or close?

If an attacker logged on goes broke the password. I knew MAC address or only password?

Have you analyzed the new had to be?

I believe the attacker got on via a Kali Linux Box. I am involved in Cyber security and had just created a New Box, fortunately I have this separated on a separate VLAN. I left this connected to the Web and I believe someone managed to get in via a Back Door. Once on they then gained an IP Address and then attempted a MITM Attack; when I terminated the wired connection I believe they jumped onto the Network via Wifi as they had already created the remote connection back into their environment. I have changed both Turris Passwords and all of my Wifi Passwords and also continue to separate the Kali box from the WEB. I will rebuild the box from fresh as I believe this happened when I was first loading and updating the software.

I should add; I believe I inadvertently gave then the Turris Passwords during their MITM attack when I found I had not Internet connection. Stupid Mistake on my part, normally I am more careful but didn’t think that someone may have gotten on the LAN. the Attacker was careful and had covered their tracks by Deleting and renaming the IPTables logs, fortunately I spotted there was a gap in the Logs History. Normally I have the Honey traps activated as setup on the Turris, but must have inadvertently deactivated these during the issues with the previous patches as the Turris was Very Unstable back at that time. Of course my theories on how the attack is guesswork, which is the reason for my question about others reporting anything similar??

i call BS. OP watched too much Mr. Robot :slight_smile:

1 Like

And DNSSEC ???

Wer are each entitled to our own opinion; unfortunately yours would be wrong!! Ignorance is bliss; just keep living in your perfect world of flowers and roses.

I don’t use DNS forwarding and my DNSSEC is enabled. Like I suggested, I know the attacker got in as I could see there was a Current DHCP Lease and therefore know exactly what time the Attacker managed to get them self on the network; I even know the device they used through the MAC address and the Default name, although of course these can be faked.

As i have now isolated the Kali Linux Box, it will be interesting to see if they get on the Network again. If they dont them I can attribute it to the scenario i described, however if they get on again then there must be another entry point for them. I have 2 server on my Network, one public and the other is an internal Server no publicly accessible. Neither of these appear to have been touched however both of these are on separate VLANS. Will keep you updated if the attacker manages to get on the network again.

Good fun! The one who plays, not angry:-) For such playing I am not skill.

What does any of this have to do with the Omnia? I have to agree with @turrisuser

Did you have any port forwardings to servers in you LAN? If so, any bug with these services can lead to the attack. But this has nothing to do with Turris Omnia.

Hi JamesT42
Nothing behind the curtain No, but I do have forwarding to a Public Server in Front of the curtain. I have been watching with great fascination through the day at further attempts for someone to get behind the curtain and failing. then this happened. Fortunately they were completely isolated. I just cannot work out how they are getting an IP Address other than there being a Backdoor?/ Very Odd :frowning:

I have hidden the internal IP Addresses by the Way; didn’t want to give anyone attempting to breach my LAN anymore amunition

2017-01-09T14:03:08+00:00 info dnsmasq-dhcp[2095]: DHCPREQUEST(br-Kali) 20:a9:0e:ff:3c:7a
2017-01-09T14:03:08+00:00 info dnsmasq-dhcp[2095]: DHCPNAK(br-Kali) DHCPREQUEST20:a9:0e:ff:3c:7a wrong network
2017-01-09T14:03:08+00:00 warning kernel[]: [1526155.226302] REJECT(src Kali)IN=br-Kali OUT= MAC= SRC=192.168.x.x DST= LEN=328 TOS=0x00 PREC=0xC0 TTL=64 ID=39531 PROTO=UDP SPT=67 DPT=68 LEN=308
2017-01-09T14:03:20+00:00 info dnsmasq-dhcp[2095]: DHCPDISCOVER(br-Kali) 20:a9:0e:ff:3c:7a
2017-01-09T14:03:20+00:00 info dnsmasq-dhcp[2095]: DHCPOFFER(br-Kali) 192.168.x.x 20:a9:0e:ff:3c:7a
2017-01-09T14:03:20+00:00 info dnsmasq-dhcp[2095]: DHCPREQUEST(br-Kali) 192.168.x.x 20:a9:0e:ff:3c:7a
2017-01-09T14:03:20+00:00 info dnsmasq-dhcp[2095]: DHCPACK(br-Kali) 192.168.x.x 20:a9:0e:ff:3c:7a android-13848d08b04cb0cb

there are no backdoors or open things in Omnia.

According to your posts, it may be a virtual computer running in your network or your Kali-box may changing MAC adresses.

You can stay calm.

topic renamed and moved to proper category

1 Like

Good afternoon Vaclav

Yes I agree; I believe I know what the culprit was and even know how. It was my own stupid mistake that let it happen. What is still proving a mystery are the messages per the below I am getting from the Kernel. I have taken actions to correct my mistakes and yet I am still seeing this on an approximate 10 minute basis. I know this is nothing connected onto this particular VLAN / Interface and I know nothing is connecting Wireless, but yet I still get these rejections.

There is no possible way that anyone can connect using the previous methods; i have completely prevented that! Its just these 10 minute interval and the attempted connection that’s puzzling me??

REJECT(src Kali)IN=br-Kali OUT= MAC=01:00:5e:00:00:01:d8:58:d7:00:3d:da:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

I knew what it was :slight_smile: What I was unsure of is why it is happening on a VLAN with nothing physically connected either via Ethernet or the Wifi. given absolutely know connectivity from the LAN, it is obviously being triggered via the Omnia.

If there was something I could understand it, but there is nothing. :confused: