Stealth Server

[Kusi Bertoldo]

JTAGRGH console users must take special precautions when connecting to Xbox Live in order to avoid getting banned instantly or within a few hours of connecting. Stealth server services such as Proto (free), Nfinite (paid), Cipher (paid), XBonline (defunct), or Teapot (paid) exist to be a means of connecting "safely" to Xbox Live. Stealth servers will make your console appear as retail to the Xbox Live servers. Be aware that it is never 100% safe to connect to Xbox Live with a modified console and you may get your console and/or account banned. Alternatively, you can install a dual NAND mod in your console to have both a retail NAND and a modified NAND. The retail NAND can be used to connect to Xbox Live without requiring a stealth server. If you plan on playing offline, you can also block Xbox Live using this guide.

So the other day I had a UPS of mine die. After taking it apart as I like to do with everything I thought what could I turn this into? After several ideas had passed I realized that I had come up with a real good one. I thought hey why not make it a hidden storage server. The question now is where to hide such a hideous creation. Well that part was the easy part. Plain sight. So after some tinkering and a few experiments and some research I decided to go ahead with it. The ultimate hidden rogue server.

The Server Camouflage (also known as an UPS):

This is the UPS we will be modifying. We chose a UPS for several reasons. First off is we need the housing to be large enough to hide our server in, but still be totally inconspicuous. second we needed to have network cables coming out of our housing and not have it look odd, if we used a toaster with a LAN cable for instance it might look a little suspicious but a ups with a LAN surge suppressor in it for instance, no problem! Finally we wanted it to be an object in the vicinity of the computer that would be connecting to it, after all the best hiding place is in plain sight. I recommend finding a broken UPS from your local surplus or thrift store, although CompUSA often has them on sale for about 35.00. Make sure to find one with the rj45 surge protector.

First step is to gut your ups. This is not necessarily a haphazard hack and slash step. We need to preserve the leads, switches, breakers and the entire outlet wiring 100% as we will be keeping this as a striped down power strip as well to help with the camouflage process. As you can see there is plenty of room as long as we lay it out right.

Next up is to carefully remove the innards of the switch or router you chose. While doing this use the same careful consideration you would lend a new CPU or motherboard as one bad zap of static can toast the unit entirely.

For the attachment of the nslu2 we used hot glue again. Before we seated the board into the chassis we took some time to make notches in the plastic sides. There are a couple ribs of plastic that run around the case that were real easy to get to. This will help secure the board into the chassis

In this instance it was important to plug in the USB cables before we put the board into the case due to slim tolerances. We had to use a razor to carefully trim some of the plastic away from the plug end so the cable would flex enough for what we needed. Cutting into the side supports protruding out from the sides of the ups case gave us a precious extra 1/8th inch.

Since the plastic covering adds a ton of bloat to the transformers, I decided to remove them. Next up was to lengthen the 110V leads with our 12 gauge wire. Then we cut the longer cables to the device and shortened them with some solder and electrical tape.

Now things are starting to get a little tight. Once the walwarts were plugged into there appropriate parent devices we can hot glue them in. Then comes the soldering the wires together into the 110V system. Once the wires are soldered together use a piece of electrical tape to keep the wires from shorting out on each other.

The server is not sending anything, it's the client telling you the server refused the connection. That's the expected behaviour if a TCP port is closed when you try to connect.

If you want your system to silently drop packets without sending a "this port is closed" TCP answer (a so-called stealth port), you need to use a firewall on the system and/or in between it and the client.

What you see is most likely your client's reaction to an ICMP port-unreachable sent by the server upon receiving the first TCP SYN-packet for a port that does not accept connections. This is correct behavior and allows the client to quickly tell you so.

If you actually mean stealth as in "this host is non-existing, dead or offline and doesn't send anything at all", configure your firewall to drop (as opposed to reject) any packets to this port. Assuming netfilter/iptables:

When a client program sends a TCP SYN packet to request a connection, a reply packet with the ACK and RST flags set, according to examination of captured packets, is classified as a connection refused error. No service is listening on the port, and the port is closed.

With fwknop deployed, anyone using nmap to look for SSHD can't even tell that it is listening - it makes no difference if they want to run a password cracker against SSHD or even if they have a 0-day exploit.

Most DNS servers are schizophrenic - they may be masters (authoritative) for some zones, slaves for others and provide resolver or forwarding services for others. Many observers object to the concept of DNS types partly because of the schizophrenic behaviour of most DNS servers (they are frequently of more than one type) and partly to avoid confusion with the named.conf zone parameter 'type' which only allows master, slave, stub, forward, hint. Nevertheless, the following terms are commonly used to describe the primary functionality of DNS servers.

One of the basic rules of security is that only the minimum services necessary to meet the objectives should be deployed. This means that a secure DNS server should provide only a single function, for instance, authoritative only, or caching only, not both capabilities in the same server. This is a correct but idealistic position, generally possible only in larger organizations. In practice many of us run mixed mode DNS servers. While much can be done to mitigate any security implications it must always be accepted that, in mixed configurations, increased risk is the downside of flexibility.

The terms Primary and Secondary DNS entries in Windows TCP/IP network properties mean nothing, they may reflect the 'master' and 'slave' name-server or they may not - you decide this based on operational need, not BIND configuration.

It is important to understand that a zone 'master' is simply a server which gets its zone data from a local source as opposed to a 'slave' which gets its zone data from an external (networked) source (typically the 'master' but not always). This apparently trivial point means that you can have any number of 'master' servers for any zone if it makes operational sense. You have to ensure (by a manual or other process) that the zone files are synchronised but apart from this there is nothing to prevent it.

Just to confuse things still further you may run across the term 'Primary Master' this has a special meaning in the context of dynamic DNS updates and is defined to be the name server that appears in the SOA RR record.

A master DNS server can NOTIFY zone changes to defined (typically slave) servers - this is the default behaviour. NOTIFY messages ensure zone changes are rapidly propagated to the slaves (interrupt driven) rather than rely on the slave server periodically polling for changes. The BIND default is to notify the servers defined in NS records for the zone - except itself, obviously.

A zone master can be 'hidden' (only one or more of the slaves know of its existence). There is no requirement in such a configuration for the master server to appear in an NS RR for the domain. The only requirement is that two (or more) name servers support the zone. Both servers could be any combination of master-slave, slave-slave or even master-master.

A Slave DNS gets its zone data using a zone transfer operation (typically from a zone master) and it will respond as authoritative for those zones for which it is defined to be a 'slave' and for which it has a currently valid zone configuration. It is impossible to determine from a query result that it came from a zone master or slave.

Assuming NOTIFY is allowed in the master DNS for the zone (the default behaviour) then zone changes are propagated to all the servers defined with NS Records in the zone file. Other acceptable NOTIFY sources can be defined using the also-notify parameter in named.conf.

The definition of a slave server is simply that it gets its zone data via zone transfer, whereas a master gets its zone data from a local file system. The source of the zone transfer could just as easily be another slave as a master.So what sane human would want to do that?

Assume you want to hide your master servers in, say, a stealth configuration then at least one slave server will sit on the public side of a firewall, or similar configuration, providing perimeter defence. To provide resilience you would need two or more such public slaves. The second slave can be updated from the same master as the first or it could be updated from the slave server - we'll call it the 'boss' slave to avoid getting into tortuous terminology (is it a master-slave or a slave-master?). To configure this miracle the second slave server would define the 'boss' slave's IP in its masters statement. When the 'boss' slave has sucessfully transfered a zone file (from the master) it will send out NOTIFY messages (the default) unless configured not to do so. This type of configuration will marginally increase latency for updating the zone on the second slave - but that may be more than offset by increased stealth.

3a8082e126