ssh session hijacking

I’ve created a simple scenario with ssh session hijacking. There is single session open from host A to host B and I can create another connection inside of established connection. I’m wondering how to detect in a SIEM such an activity?I can’t use ports because there is only one normal ssh connection.

Any ideas?

Is an index, nonce and HMAC good enough for session management?

I’m researching session management for web applications. I’ve been looking at a couple places, and from my understanding is we shouldn’t use a secret as a session identifier(index). Because it can lead to timing attacks.

Let’s say for the sake of performance sessions on the server-side are stored in cache/memory. And the index is reset(e.g: starts back at 1) every time the server restarts or they are all purged.

session_payload = index || HMAC(server_key, index) 

But doing it like that would leave room for replay attacks, right? An attacker could generate a bunch of session payloads and store them for later to hijack sessions. Something is needed to make each session payload unique to prevent that, right?

So what about:

payload = index || nonce session_payload = payload || HMAC(server_key, payload) 

If my understanding is correct, the nonce just needs to be unique to make the session payload unique. Should it be just the output of a CSPRNG, RNG or the current time(milliseconds?, nanoseconds?)? What are the caveats of each?

So if the above is done right, it should be able to avoid:

  • Timing attacks.
  • Volume attacks.
  • Replay attacks.*
  • Tampering.

Right? And is there any other attacks I should be aware of? Please exclude session fixation, that can be mitigated via session payload regeneration on privilege escalation.

  • What I define by a replay attack, is adversaries could store pre-computed session payloads and hijack sessions later, hence the use of the nonce.

what is crashing/exiting my gnome window session?

From time to time (but really too often) my desktop environment (for now xfce4) exits/crash itself and the system goes back to the login screen (gdm) silently.

In syslog I can see in correlation with the time of the exit a bunch of :

Oct  1 16:30:25 ultraviolet update-notifier[23392]: update-notifier: Fatal IO error 11 (Resource temporarily unavailable) on X server :2. Oct  1 16:30:25 ultraviolet gsd-keyboard[22021]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :2. Oct  1 16:30:25 ultraviolet google-chrome.desktop[22244]: [22517:22523:1001/163025.520037:ERROR:x11_util.cc(110)] X IO error received (X server probably went away) Oct  1 16:30:25 ultraviolet google-chrome.desktop[22244]: [22244:22244:1001/163025.520208:ERROR:chrome_browser_main_extra_parts_x11.cc(62)] X IO error received (X server probably went away) Oct  1 16:30:25 ultraviolet gnome-session-binary[21647]: WARNING: App 'org.gnome.SettingsDaemon.Wacom.desktop' exited with code 1 Oct  1 16:30:25 ultraviolet gnome-session[21647]: gnome-session-binary[21647]: WARNING: App 'org.gnome.SettingsDaemon.Wacom.desktop' exited with code 1 Oct  1 16:30:25 ultraviolet gnome-session[21647]: gnome-session-binary[21647]: WARNING: App 'org.gnome.SettingsDaemon.Clipboard.desktop' exited with code 1 Oct  1 16:30:25 ultraviolet at-spi-bus-launcher[21769]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":2" Oct  1 16:30:25 ultraviolet at-spi-bus-launcher[21769]:       after 1175 requests (1175 known processed) with 0 events remaining. Oct  1 16:30:25 ultraviolet gsd-xsettings[21987]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :2. 

but my Xorg.log doesnt say anything during that time.

Where can I start to investigate ? What can I try ?

Thank you for any pointer 🙂

nb: not sure if this is relevant but this is a multiseats system.

what is an EFI Session?

i have no idea what im doing so dont be surprised if i sound like an idiot asking these questions. I have 2 drives, one an SSD holds all the windows 10 stuff and the other just holds games and big files as my SSD is running out of space. i have my second drive in 2 partitions. i think i installed ubuntu on the second partition. but it said something about going on a EFI session and to do a boot repair. i did the boot repair and it didn’t work. the grub didn’t install during the ubuntu installation. on my main ssd there isnt a grub installed. I have been using the windows bootloader.

How to have persistent session settings in SDDM for each user?

I use SDDM as session manager in Lubuntu 19.04. By default I got two desktops: Lubuntu and LXQt. I have two users. Each one uses a different desktop session.

However, every time I switch users, the last used desktop session is shown in drop-down list (when in SDDM).

How can I configure SDDM so it remembers that user1 always starts with Lubuntu session and user2 with LXQt?

Right now the user must manually choose the session every time he enters. I believe it should be a matter of selecting the user, writing the password and voilá!

What do I do when problem player does not attend Session 0?

Apologies if this is not the correct place for this question but I’m at a bit of a loss for what to do and would appreciate the advice of an experienced GM.

My party have been playing DnD 5e since July 2017, I DMed us through Lost Mine of Phandelver with a lot of success. At the start of the campaign the players all rolled their own characters and I asked them to write back stories as I was writing homebrew story hooks based on these for the future. We started out with 3 players but by the end of the campaign we had 6. The character who was added around session 3 was met with distrust from one of the original characters (we’ll call him P1) and this escalated quite a lot due to drunkenness on the P1 player’s part. In a later session this was revealed by the player to be a racist dislike for all dragonborns justified by an event in P1’s backstory. I was unsure of this but the new player was happy enough to roleplay it out but over the course of the rest of the campaign, this was never resolved – an explanation has never been given in character though all players know why the character behaves this way. P1’s character still says horrible things to the dragonborn and makes a point of stating how much he dislikes him at any given opportunity.

We finished LMoP and started onto my homebrew stuff. P1 and another player were often not able to attend DnD due to other commitments and we decided to pause that campaign until we were more available. One of the other players has DMed through some homebrew and the start of Tomb of Annihilation for about 3 months – P1 behaved a little better during this, no racism, just a bunch of spotlight stealing.

We’ve recently resumed our original campaign and P1 player claimed that he had lost his character sheet. Fine, I say, choose to roll a new character or remake him as best you can based on memory. He elects to remake this P1 character – the only thing is, he doesn’t remake the character at all the same. Half way through the session, the character is revealed to be multiclassed now sharing the same class as the character he is racist against. Another cause of tension. In fairness, I should not have allowed this – I should have put my foot down then and there. But we were mid-game and I didn’t want to disrupt it for the other players. I should have fixed this after the session but I was hoping it wouldn’t be a problem. He had also forgotten his whole back story which is very frustrating for me as I put a lot of work into the plots surrounding it.

In our most recent session the P1 player was more disruptive than usual – changing things about his character [including giving him an obnoxious accent], interrupting me, talking to me the person not me the DM or NPC about things irrelevant to DnD in the middle of the session during other characters conversations with an NPC and trying to talk to other NPCs while I’m speaking with another character. Claiming to have magical abilities beyond what was previously agreed – a cantrip being used like it’s some all powerful spell and then long arguments that I said he could do it last week, etc. The other players were frustrated and a few of them mentioned it to me after the session. Our dragonborn’s player has also stated that he now dreads sessions when he knows P1 player’s character will be present.

It had come to a head for me. We’d jumped into all this without a session 0 so I decided that I needed to make my expectations clear. In an effort to iron out the misunderstandings between us all I scheduled a Session 0 for this evening. I sent a list of questions with the options of sending answers to me to be discussed at the table or just answering on the night. P1 player obviously elected the latter. But lo and behold, we get a message this morning that he is ‘sick’ and not going to attend tonight. I have suggested that we Skype him in and he is ignoring us. Most of the other players think he is avoiding the session because he doesn’t want to have his behaviour brought into question.

How do I proceed? What is the best thing to do here? Do I just send him the answers to the questions decided by the rest of the group? Do I demand he sends his answers?

Thousand of session (sess_*) files in tmp directory

I have 3 VPS with similar setup that hold news/blogging wordpress websites. In 2 of them i keep getting thousand sess_* files in /home/user/tmp directory. I had to set a cron job to delete these files in 2 of those VPS’s and can’t understand what is the problem and why i get this issue in only 2 of them and not in the third one. I really have googled for hours to find a solution, but i can’t find anything that works.

I am not an ubuntu specialist, so any help would be much appreciated.

Thank you all.

ENVIO DE DATOS SESSION POR POST. NODE JS MONGODB EJS

Necesito pasar dos parametros. El DNI (con el cual el usuario se registro y el id del candidato al que votó.

La ruta buscada seria como por ejemplo:

http://localhost:3000/api/DNI/ID-CANDIDATO


Acá genere el formulario que enviara estos dos datos. Probe enviando el ID del candidato y anda perfecto. Me faltaria poder enviar el parametro DNI con el cual se logueo el usuario. Tenia pensado capturarlo de los datos de la sesion pero no se de que forma y si es la mas conveniente.

                <% locals.candidatos.forEach((item) => { %>                      <li class="col-12 col-md-6 col-lg-3">                         <div class="cnt-block equal-hight" style="height: 349px;">                             <img class="img img-fluid d-block mx-auto rounded img-thumbnail" src="<%= item.foto %>">                             <h3>                                 <%= item.nombreApellido %>                             </h3>                             <p>                                 <%= item.partido %>                             </p>                              <form id="formulario" action="/api/votapi/<%= item._id %>" method="POST">                                 <ul class="follow-us clearfix">                                     <button type="submit" class="btn btn-primary btn-block text-uppercase mb-2 rounded-pill shadow-sm" type="text">VOTAR</button>                                 </ul>                          </div>                     </li>                     <% }); %>                          </form> 

Desde la API lo quiero trabajar de esta manera ya que luego de recibir los datos del POST, por un lado incremento en 1 el voto al candidato elegido y por el otro modifico el booleano (por defecto en false) para convertirlo en true. Y asi usarlo para chequear si X usuario ya votó.

<!-- API --> routerApi.post('/:id', function(req, res, next) {     if (req.params.id) {         console.log(req.params.user.id);         Candidato.update({ _id: req.params.id }, { $  inc: { votos: 1 } }, { safe: true },             function(err, response) {                 if (err) return res.status(500).send(error);                 if (response) {                     User.updateOne({ dni: req.session.user.dni }, { $  set: { voto: true } }, { safe: true },                         function(err, response) {                             if (err) return res.status(500).send(error);                             if (response) {                                 res.status(200).redirect('/resultados');                                 console.log('Voto exitoso!')                             }                          });                 } else {                     res.status(500).send(new Error("No se pudo votar"));                  }             });     } });  <!-- Fin API --> 

Gracias de antemano. Saludos

I killed a PC’s animal companion at the end of last session, but later realized it should have survived; what are my options?

Notes: I am the DM, my players are a group of 7, levels of 11 or 12.

So, our last weeks session ended with a black dragon releasing an acid breath attack on the only visible enemies in a courtyard. This was a servant, my wife’s ranger PC, and her falcon animal companion. The servant and the falcon failed their Dex saves and took 58 points of acid damage, outright insta-killing both of them.

Going back to look at it as I prep for the upcoming session, I realize the falcon stats were incorrect. It should have 4 times the ranger’s level in hit points. As she is level 11, this would mean the falcon should have 44 hit points. Not only that, but the falcon should have had the ranger’s proficiency added to the Dex save, which would have made them pass the DC 18 Dex save, reducing the damage to 29 instead of 58.

As this was the last thing to happen at the end of last session, I wasn’t sure if I should retcon the hawk to still being alive and conscious, or leave it a pile of goopy acid and note that I will fix it with the next animal companion? What are my options in a situation like this and what are the pros and cons of making those choices?