N0x0n

N0x0n, 2 months ago (edited 2 months ago)

And if you’re somehow getting inaccurate data… How?

I’m not sure how I could get inaccurate data. I have a rooted android and de-bloated to a maximum. Strangely enough PCAPdroid only works without a VPN connection… And those requests appear when I open the AdguardVPN app.

Other apps like Firefox doesn’t send that much DNS requests just the usual ingest.sentry.io.

Edit: I have added other screenshots

N0x0n, 2 months ago

After installing AdguardVPN and testing it against Exodus this is what I got:

https://lemmy.ml/pictrs/image/3d18e0b5-dfec-475d-ad3b-6121df4bd48e.jpeg

N0x0n, 2 months ago

Hey I gave it a second try with another tool: PCAPdroid and I’m not sure what I’m looking at … Adguard VPN seems effectively to send a lot of traffic to strange DNS requests…

Just by opening the app and loggin in a fake account I got over 200 requests…

https://lemmy.ml/pictrs/image/1737303c-1e8f-4cd2-a645-77e4a604b083.png

I’m not an expert but those requests seem sketchy !!!

N0x0n, 2 months ago

Yes :) just after I login ! PCAPdroid doesn’t allow a VPN connection.

N0x0n, 2 months ago

I would say Yes. If you are on android give PCAPdroid a try and see it by yourself.

N0x0n, 2 months ago

The order seems sketchy, that’s not A-z. And if they chose to order by application name, safari would be burried way down the list xD.

N0x0n, 2 months ago

Yeah but that doesn’t answer my question: What’s the implication of ./ in the tar file? I mean when I extract them, both seem similar but most people say it’s bad practice or not recommended but why?

I know and do understand how to achieve both with and without the root folder.

N0x0n, 2 months ago (edited 2 months ago)

Thank you, I think this is a good lead, but couldn’t find a lot of information about it. But the general gist is that it could overwrite my folder structure and mess up the filesystem (source). All sources I found are very old, does that mean that there’s some kind of protection today?

I also found out that it will extract the permission and owner to the current directory :/ so this a very odd behavior… (source).

Thank you for your answer !

N0x0n, 2 months ago

Thank you for testing it out and give some nice insights on how to improve the command. Just curious what’s about the parenthesis (sudo cd ./testar && sudo find . -maxdepth 1 -type d,f)? I have never seen a command structured like that !

Regarding my question, someone lead me to the right direction. This could overwrite my actual folder structure (tarbomb) depending on where it’s extracted and the absolute path in the tar. It will also extract the permission and ownership to the current directory… source

N0x0n, 2 months ago

Thank you ! Your edit is related to what’s called a tarbomb. I also found out that it will overwrite the owner and permission to the current directory… Very odd behavior ! source

<span style="color:#323232;">I noticed that you are also getting duplicates in your output 2 tar file, because you are feeding it the folder, and then the folder contents. 
</span>

Haha, that was only an example xD to get context. My english is not that good, so I have to somehow show what I mean.

N0x0n, 2 months ago

Hey :) Thanks for your input but after some insight from other users I actually found out it could overwrite my folder structure (tarbomb) and also overwrite the permission/owner to the current directory (see my edited post for source). My example is probably really bad because it doesn’t contain any absolute path, but the permission/owner change still holds in the current directory.

Sorry if my question was badly written.

N0x0n, 2 months ago

Haha, thank you xD I think I wouldn’t lose my sleep over it, except if I tarbomb my server !! My question was probably baddly written, but this kind of structure could actually be dangerous !

N0x0n, 2 months ago

Thank youuu !! I learned something really interesting !!! :)

(sudo cd ./testar && sudo find . -maxdepth 1 -type d,f) | cut -c3- | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -

So, you’re trying to sudo cd ? :P I tried a hacky way I found on superuser.com sudo sh -c ‘cd dirname’ doesn’t work -_- !

Thank you very much :))) The cut -c3- is a nice alternative !!

N0x0n, 2 months ago

You’re right :) In my current example it’s probably “harmless” if extracted properly in a separated folder. Maybe I do not understand how it works (please educate me :)) but if my tar contains the following folder./home/user/ and I extract it in my current home folder (which would be kinda stupid but It happens) this will overwrite the home folder (which is the principle of a tarbomb? mess up and overwrite directories?).

A related problem is the use of absolute paths or parent directory references when creating tar files. Files extracted from such archives will often be created in unusual locations outside the working directory and, like a tarbomb, have the potential to overwrite existing files. However, modern versions of FreeBSD and GNU tar do not create or extract absolute paths and parent-directory references by default, unless it is explicitly allowed with the flag -P or the option --absolute-names. source

There’s still another odd behavior with ./ ! When extracted it will overwrite the permission/owner to the current directory source

N0x0n, 2 months ago

Thank you very much for the clarification ! That’s exactly the kind of input I was looking for ! I tried it out and your absolutely right ! I will edit my post.

N0x0n, 2 months ago

Thanks after a long sleep I edited my post to avoid misinformation and errors due of my lacked knowledge ! Thanks for your time and clarifications on that specific point !

N0x0n, 2 months ago (edited 2 months ago)

Thanks ! I changed that specific point my command looks way cleaner now ! But I still use the find command to extract the names with -printf “%Pn” to tar only the files without the parent folder and ./ ./files. I prefere it that way, it looks cleaner. But -type d,f is useless !

use find to export the list, and then check it before you let tar run on that output

This seems a more secure way of doing things. Do you have any personal experience with piped tar commands that back slashed and put your system at risk?

Edit: I just found an easier way… (cd testar/ && tar -czvf …/mydir.tgz {*,.*}) Which includes hidden files without parent folder and ./ !

N0x0n, 2 months ago

Thank you for the clarification ! That’s way most post are from 2007 and couldn’t find any recent documentation !

Will take a look at path-traversal vulnerability thanks for the info !

N0x0n, 2 months ago

Thanks !!

N0x0n, 2 months ago

He will surely die on his hill… ALONE !

N0x0n, 2 months ago (edited 2 months ago)

If you are talking about the IP address then just add a static address, no? I do it anyway in my docker compose:

<span style="color:#323232;">...
</span><span style="color:#323232;">    networks:
</span><span style="color:#323232;">      traefik.net:
</span><span style="color:#323232;">        ipv4_address: 10.10.10.99
</span><span style="color:#323232;">
</span><span style="color:#323232;">networks:
</span><span style="color:#323232;">    traefik.net:
</span><span style="color:#323232;">      name: traefik-net
</span><span style="color:#323232;">      external: true
</span>

I’m not an expert so maybe I’m wrong, if so do not hesitate to correct me !

EDIT: If the IP address doesn’t change, you do not need to change to routing and iptables/nftables rules. ??

N0x0n, 2 months ago

Thanks for sharing your script :) I never thought you would need such a complex (not a programmer so it’s complex for me xD) script. This seems a full automation and looks great ! Well done, it was worth it !