Jul 2, 2015

Howto: Convert Metasploitable2 VMWare to Virtualbox


Tools: q-shell - Unix Remote Login And Rootkit Shell Tool.

q-shell is quick shell for remote login into Unix system, it use blowfish crypt algorithm to protect transport data from client to server, you can get two program: 'qsh' for client, and 'qshd' for server, those program can rename by any name with you prefer.

Source:: http://blog.hackersonlineclub.com/2015/07/q-shell-unix-remote-login-and-rootkit.html

Tools: Detux - Multiplatform Linux Sandbox

Analyze linux malwares on x86, x86-64, ARM, MIPS and MIPSEL cpu architecture


Jun 30, 2015

Tools: honeypot-setup-script

A script to install and deploy a honeypot automatically and without user interaction.

Currently installs and sets up:
  • kippo
  • dionaea
  • p0f
These will all be installed as system services so running this script once should turn a vanilla install in to a robust honeypot. Aims to use useful and secure defaults.
Currently tested on Ubuntu 12.04
Use with caution: This script will happily and without prompt overwrite files, change the port your SSH server runs and all sorts. It is intended to be run on a vanilla install of Ubuntu 12.04. No thoughts have been made for the integrity of existing installations of softwar - so be careful!

Source:: https://github.com/andrewmichaelsmith/honeypot-setup-script/

Jun 29, 2015

Howto: Install Snort + Barnyard2 on Ubuntu 14.04

1. Install Snort
# apt-get install snort
1.1 Config snort output unified to
output unified2: filename snort.log, limit 128

2. Install Required package for Barnyard2
# apt-get install autoconf libtool libpcap-dev libmysqlclient-dev libdaq-dev libdnet-dev build-essential git

3.  Download Barnyard2
# git clone git clone git://github.com/firnsy/barnyard2.git

4. Create Configuration Compile File
# ./autogen.sh

5. Install libdumpnet-dev
# apt-get install libdumpnet-dev
# ln -s /usr/include/dumbnet.h /usr/include/dnet.h

6. Compile Barnyard2
# make
# make install

7. Create configuration barnyard2.conf
cat > /etc/snort/barnyard2.conf << EOF
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname: yourhostname
config interface: eth0
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=userofdb password=pwdofuser dbname=snort host=
# to forward alerts also to syslog, uncomment the following 2 lines:
# output alert_syslog_full: sensor_name snortIds1-eth1, local
# output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT

8. Copy scheme of barnyard2 that used in mysql
# cp schemas/create_mysql /usr/src/

9. Create directory log of Barnyard2
# mkdir /var/log/barnyard2

10.  Setup mysql# apt-get install mysql-server
# mysql -u root -p
mysql > create database snort;
mysql > create database archive;
mysql > grant usage on snort.* to snort@localhost;
mysql > grant usage on archive.* to snort@localhost;
mysql > set password for snort@localhost=PASSWORD('password');
mysql > grant all privileges on snort.* to snort@localhost;
mysql > grant all privileges on archive.* to snort@localhost;
mysql > flush privileges;
mysql > exit

11. Create structure
# mysql -u snort -p
mysql> use snort;
mysql> source /usr/src/create_mysql;
mysql> show tables;
mysql> exit

12. Fix "ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)" problem
# cd /usr/share/oinkmaster/
#  bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"

13. Test run barnyard2
# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/test.log -C /etc/snort/classification.config./

15. Create startup script for barnyard2

case $1 in
        echo "Starting Barnyard2"
        sudo bash -c "barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo"
        echo 'Barnyard2 started.'
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
        $0 stop
        sleep 4
        $0 start
        echo "usage: $0 (start|stop|restart)"

exit 0

16. Change permission
# chmod 700 /etc/init.d/barnyard2

17. Try to start/stop barnyard2 daemon with
# /etc/init.d/barnyard2 stop
# /etc/init.d/barnyard2 start

18. Add to startup service
# update-rc.d barnyard2 defaults 99

CheatSheet: SSL Manual


This table accompanies the presentation referenced here. It lists various SSL/TLS checks that can be performed manually with OpenSSL or a browser. Sometimes the column "insecure result" doesn't actually refer to an insecure configuration (for example, it may be a nice-to-have) but this should be clear from the context of the issue or the comments.

Jun 28, 2015

Tools: Incident Response Malware Analysis: IRMA

IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, …
An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network.

File Analysis Process

  1. An analysis begins when a user uploads files to the Frontend.
  2. Frontend checks for existing files and results in mongodb. If needed,
    it stores the new files and calls asynchronously scan jobs on Brain.
  3. Brain worker sends as much subtasks to Probe(s) as needed.
  4. Probe workers process their jobs and send back results to Brain.
  5. Brain sends results to Frontend.
Source:: http://n0where.net/incident-response-malware-analysis-irma/

Jun 27, 2015

Tools: Cowrie - Cowrie SSH Honeypot (based on kippo)

1. Install python conch and web module
# apt-get install python-twisted-web python-twisted-conch

2. Download Source From https://github.com/micheloosterhof/cowrie

3. Copy cowrie.cfg.list to cowrie.cfg

4. Run cowrie with ./start.sh

5. IPtables to forward from 22 to 2222 (That cowrie was binding)
# sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

6. Try to connect port 22

7. Replay the attack with
# ./utils/playlog.py -f ../log/tty/20150626-135348-5c4ecc58.log

Source:: https://github.com/micheloosterhof/cowrie

Jun 24, 2015

Tools: iOS Penetration Testing Lab Environment

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try. This application also contains a section where a user can read various articles on iOS application security.
Source:: http://www.ehacking.net/2015/06/ios-penetration-testing-lab-environment.html

Tools: Evomalware - BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Source:: https://github.com/evoforge/evomalware