fredag den 23. oktober 2015

Scanning for SSL certificates

I needed a way to quickly find out which SSL certificates we are using, so I cam up this this quick shell script to scan for SSL sites, and grab the certificates. It scans a class B net in around 10 minutes.

This small script scans for open port 443 using nmap, and uses openssl to connect to the server, extract the certificate, and parse it to human readable format. Then it prefixes all output lines with the IP address to make the output file grep-able.


#!/bin/bash
# shell script to find and extract certificates from web servers

# (c) Copyright 2015 by Povl H. Pedersen - This script can be modified and used
# as you wish. Do not use as is without attribution.

pid=$$
cd /tmp
nmap -p80,443 -oA /tmp/sslscan-$pid -PS443 -sT  $@ >/dev/null

# sed on the 2nd line is there to sanitize IP addresses to contain only digits + .
# This to avoid commands/garbage/race condition from the nmap output file to be executed.

cat /tmp/sslscan-$pid.gnmap | fgrep ' 443/open' | awk ' {print $2}' |
sed 's/[^0-9\.]*//g' |
awk ' {print "openssl s_client -connect "$1":443 </dev/null  |openssl x509 -noout -text | sed \"s/^/"$1"\t/\""}' |
sh

rm -f /tmp/sslscan-$pid.*nmap

tirsdag den 2. juni 2015

Ethernet over existing cables

In an attempt to get IPTV to my living room, I have tried to bridge wiress with limited success. I have tried to use HomePlug AV2 with limited success, it was even worse than the wireless bridge.

My problem is, that I have 2 antenna cables near my TV. One for satellite and one for TV. They see to be stuck in the tube (probably the soap I used to get past the first bend), or I would replace one with ethernet cable. I have an injector that can mix TV (<865 MHz) and Sat on the same antenna cable, so I really do only need one.

But since both cables are stuck ethernet is not an option.

Since my cable company can provide high speed internet over antenna cables, I looked for a home solution. And there is actually one solution that works, the Marmitek IPTV Coax Pro, using the MoCA 1.1 standard. Running 100 Mbit ethernet over Coax. I tested it on both the Sat cable and the CATV cable, and both worked, giving 100 Mbit/s consistently.

I have found one issue, and that is, that multicast is limited to 10 Mbps, thus making it worthless for IPTV unless you can encapsulate the multicast.

My first attempt was to use simple VLAN bridging between an OpenWRT based router in each end. This worked, but still with the 10Mbps limit, as Multicast packets also gets a bit set in their MAC address. So the only solution would be a protocol with a new header.

Then I created a GRE tunnel between the 2 routers, and bridged the tunnel with the untagged VLAN (basicly just isolated switch port) in either end. This resulted in Multicast loopback, eating all bandwidth, and causing the Fiber router to transmit noise over a wide band of the antenna output, even in the high frequencies, and jamming both analog TV and the Marmitek.

So I decided to put up a DHCP server on the OpenWRT near the IPTV box, assign it an IP address, and use source based routing to transmit over the GRE tunnel. 

Since I am routing an internal IP address, I also need to set up igmpproxy on the provider facing OpenWRT, and for good measure, source based routing at the outside OpenWRT as well.

Somewhat complicated to get all the things set up together. If just the Maermitek box would not limit multicast, the simple VLAN bridge would have worked.